Since its implementation in May 2018, GDPR has remained on the tip of every business owner’s tongue and storing personal data securely continues to be a minefield. In order to unravel their complicated nature, we decided to examine what data security really means and explore the top 5 misunderstandings of GDPR.
The Information Commissioners Office (ICO) defines personal data as ‘information that relates to an identified or identifiable individual’. This simply means that any information which identifies an individual, such as a name, number, IP address or a cookie identifier is regarded as personal data.
It is important to remember that information which is truly anonymous is not covered by the GDPR; although there is very little information which comes under this umbrella. The ability to identify an individual, even from the smallest piece of data is still subject to GDPR advice.
What are the top 5 misunderstandings of GPDR?
1: “Everyone is going to get fined”
Whilst the 4% of annual turnover threat is looming over businesses heads, in reality this harsh punishment has only been used for those companies who’ve made no effort to comply, are in complete disregard for the regulations so far or for those who have been a victim of a data leak. However, a fine is still possible and every effort should be made to stay in line with the GDPR.
2: “Brexit means we don’t need to bother”
With the Brexit deal the talk of many UK citizens, how this will affect our everyday life is still uncertain. The UK regulator has confirmed that the GDPR will continue to be enforced in the UK and the facilitation of mirroring laws stated within the EU will remain imperative.
All communications such as emails and lengthy privacy policies regarding the storage of data are an imperative part of GDPR, but are not enough on their own. GDPR requires you to demonstrate compliance by documenting the decisions you make about processing an activity and the security measures you are taking to prevent this data being deceptively obtained.
4: “It’s just a tick in a box”
Compliance must be unambiguous; it is not enough to ask people to un-tick a box if they want to stop receiving emails or do not consent to their data being held. A person must actively ‘check’ a box or provide written consent that they are happy for this to take place and be made fully aware of what this involves, including how they can opt out.
5: “GDPR is only for large companies”
No matter the size of the business, if you are holding, working with or in any way using personal, identifiable data then staying in line with GDPR is essential. Although it may seem the larger the company, the more likely it is they can afford professional insight into compliance, this is not the case.