There’s still plenty of confusion around GDPR and data protection, so here Rustam Roy tackles some common myths that we regularly come across.
Myth 1: Once compliant, always compliant
Since the introduction of the GDPR, compliance is a journey. There will always be changes (to processes, new technology, etc), which will need to be assessed, documented and dealt with.
Myth 2: We’ve got a privacy policy and some other templates so we are ok
Template documents can be a good starting point, but unless they are tailored to your business, processes, capabilities and technology, they are unlikely to be fit for purpose. Check out our blog on the dangers of using templates here.
Myth 3: No one will notice, hardly anyone is compliant
Whilst it’s true that many businesses are not fully compliant, it only takes one breach of personal data (especially if it involves a group of data subjects) for your processes to be scrutinised by the authorities, and you may well be fined. See our recent blog on how this is starting to impact smaller businesses.
Myth 4: Data protection laws prevent marketing
Data protection compliance DOES NOT prevent marketing. The aim of data protection law is merely to ensure that personal data is used transparently and lawfully and that compliance processes are documented.
Myth 5: You are required to have separate data processing agreement
While there is a requirement to have contract terms in place between data controllers and processors, that doesn’t mean it has to be a separate document. If the contract you have in place (for Saas for example) includes terms that comply with the requirements of data protection law, that is sufficient and can be more efficient, because it enables both parties to deal with the allocation of risk in one document.
Myth 6: If you breach data protection laws you get fined immediately
Fines are very unlikely to be levied as an immediate remedy, unless the breach is very serious – which could include the absence of ANY data protection compliance efforts. Wherever possible, the regulator will seek to assess your processes and make recommendations to help you improve them.
If you’re worried about any of the above we can help – we’ll work with you to put in place a practical data protection strategy that minimises reputational, legal and financial risk. We’ll also help you understand what personal data you hold and what you do with it. And we’ll get the right documents, policies and processes in place to ensure you stay compliant.