The ‘big six’ data protection myths

Since 25th May 2018 we’ve analysed several hundred post-GDPR privacy notices and found less than a dozen that are even marginally compliant

This means the majority of businesses could be in breach of the legislation,
so here are some facts you need to make sure you’re not one of them.


Myth 1: GDPR was all wrapped up by 25th May
False! UK Information Commissioner Elizabeth Denham has stated: “25 May is not the end of anything, it is the beginning...” adding, “opportunities to improve your organisation and the services you offer, through the GDPR, are enormous.”
Your most urgent and important new obligation is transparency – the requirement to keep your data subjects completely, accurately and clearly informed about what you do with their personal data, why and on what legal basis, in a way they can easily understand.

Myth 2: You can leave compliance to IT and Legal
False! IT is involved in only about ten per cent of your compliance obligations, and much of that ten per cent concerns how you manage the information it processes, rather than the technologies themselves. Your lawyers can help you understand your obligations, but they aren’t necessarily the best people to help you fulfil them day to day. Nor are they likely to be the best creators of the easily readable, readily understandable public documents that the regulations require.

Myth 3: A fine is your biggest risk
False! Despite the hype around fines, they are probably the least of your worries provided you take reasonable steps to respect your data subjects’ rights and be accountable to them and the Information Commissioner. But remember, the regulations do not consider risk to you. They exist solely to protect your data subjects, imposing on you the responsibility to minimise risk to them. Yes, there can be fines for failing to do so, but the real penalty for failure is losing the good will of your data subjects, whether customers, suppliers, associates or staff. That could cause irreparable harm to your business.

Myth 4: You’re small enough to slip under the radar
False! Every organisation that processes personal data must achieve compliance and the smaller the organisation, the greater the potential damage to reputation if it’s found not to be compliant. Compliance is not just about avoiding data breaches and ‘hacking’. There are many things on which your business can be challenged by both your data subjects and the Information Commissioner, and all it takes is a complaint to be made. Upheld complaints go on a permanent public register, and you could also face the cost of fixing the non-compliance at short notice. But even if a complaint is not upheld, the administrative burden of responding to it can be very disruptive for a small business, and it can easily get into the local news.

Myth 5: GDPR is too complex for you to understand
False! The regulations aren’t at all complex once you understand the principles, which in broad terms are obvious – process only the personal data you need to, for specific necessary and lawful purposes, be entirely open about what you’re doing, and address concerns raised by your data subjects. But it is important to come up to speed as soon as possible, particularly in the case of privacy notices that tell your data subjects what you do and why, or you lay yourself open to complaints. And there can be a valuable spin-off from getting it right. Several of our clients discovered redundant business processes while preparing their privacy notices, thereby opening the door to streamlining and saving resources.

Myth 6: You can outsource compliance to a ‘certified GDPR consultant’
False! Firstly, there’s no such thing as a ‘certified GDPR consultant’. There’s no provision in GDPR for certification of consultants or advisers, so any assertion by a consultancy of GDPR certification only means that someone has attended an unapproved commercial training course. Secondly, the regulations say that it’s you who must demonstrate accountability. That means all relevant decisions will be assumed in law to be your own, so, whatever advice you take, you will be held responsible for the outcome.

What a consultancy can genuinely offer you is guidance and support to make your own good decisions - provided it has the expertise. We bring over 20 years of practical Data Protection experience to the table, covering the entire spectrum of compliance requirements.

Mike Barwise
Director, BiR