5 GDPR myths your social enterprise will encounter along the route to compliance
In May 2018, the General Data Protection Regulation (GDPR) will come into effect and change the way your social enterprise is expected to collect, process and share personal data.
There’s absolutely no escaping the replacement for the Data Protection Act – its changes, rules and regulations are far-reaching and will have significant consequences for any business that fails to comply.
To illustrate this fact, the fines are large. Really large.
Fall foul of the GDPR, and you could be hit with a penalty equal to 4% of global turnover or €20 million.
So, clearly, time is of the essence, but before diving head-first into the things you’ll need to do to become GDPR compliant, there are some common myths to debunk.
The following list isn’t exhaustive, but it represents the five most common misnomers you’ll encounter during your journey:
1. Brexit means UK companies won’t have to comply with GDPR
Sorry – this simply isn’t true.
The GDPR will come into effect well before the UK’s exit from the European Union, and even when the tie has been severed, the rules will apply to every EU national’s data.
Therefore, any data you hold about customers either from EU countries or who are EU nationals situated within the UK will be subject to the GDPR rules.
2. It’s all about cybercrime
A big part of the GDPR will focus on your social enterprise’s ability to respond in a timely, ordered and strategic manner to any instances of data breach.
But that isn’t the GDPR’s sole focus.
The new rules are largely aimed at making it easier for the owners of personal data to access their information. Under the GDPR you’ll be expected to provide owners with free access to their data (subject to certain exemptions such as repetitive requests) and respond to such requests quickly.
You’ll also need to ensure data subjects are made aware of exactly what you’ll be doing with their data and make ‘opt-in’ to data capture abundantly clear.
3. Fines are guaranteed
We’ve already noted how big the fines for non-compliance are, but it’s unlikely they’ll be handed out quite as freely as some people insist.
Due to the amount of work required by many business to become GDPR compliant, there’s likely to be some leniency during the first few months with the ICO taking the carrot/stick approach, rather than continually making examples of businesses.
Despite this, work on the assumption you will be fined, and it should give you the impetus required to get things sorted!
4. It’s all down to IT
GDPR is indeed heavily linked to data activity, but that doesn’t mean the responsibility rests solely with the tech side of your social enterprise.
The new set of regulations require a cultural shift when it comes to how businesses process and interpret personal data. As a result, GDPR compliance is a team effort, and one which will involve every department within your organisation.
5. Compliance can be achieved quickly
If you hold only a small customer database or ask for limited information from customers, don’t assume that’ll make compliance a cinch.
Everything is relative, and no matter how small the personal data element of your social enterprise, you’ll still have a fair amount of work to do before May next year.
We’re just months away from the GDPR coming into effect, and it’s therefore vital that you begin planning and making the necessary changes now.
Just keep the above myths foremost in your mind while doing so, because the last thing you’ll need is to worry unnecessarily or conduct work that simple wasn’t required.