Blog: Brexit means no GDPR right? Wrong!

GDPR, Brexit and other myths debunked

GDPR, Brexit and other myths debunked

If you've been to any industry conference over the past 6-12 months, then there is a very high possibility that you've heard the phrase General Data Protection Regulation or GDPR. If you haven't heard of GDPR by now, then it's time to pull your head out of the sand and pay attention.

It is less than 12 months until this new legislation is introduced and alarmingly, a recent report found that one in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation! Why and who took that decision? They are on collision course to potentially ruining their business reputation or crippling it financially with fines up to 4% of global turnover or €20m ready to be imposed.

The reason for this lack of preparation is based on the myth that because of our impending exit from the European Union, the UK will no longer have to abide by laws set by those faceless politicians in Brussels. Unfortunately for some, this could not be further from the truth. GDPR is happening. There is no escaping it. Over the years, the UK might make amendments to certain aspects of the legislation, but is any UK government going to weaken our data security policies in the wake of recent cyber-security attacks and attempted hacks? We doubt it.

So, to make sure you aren't caught out by listening to the rumour mill, we've taken the five top myths, researched the GDPR legislation and brought you the truth.

1. A third party manages data for me, therefore it's not my responsibility.
Nice try – but GDPR places a huge emphasis on the responsibility and accountability of data management, processing and storage. If you work in a business that has partners or suppliers that use or share your data, then under GDPR both you and they are accountable for how personal data is managed, processed and stored. Should a data breach occur, there is no pointing fingers – your data security will come under scrutiny from the Information Commissioner's Office (ICO).

2. My business is based outside the EU, so GDPR doesn't apply to me.
If only that was the case. Any business that offers goods or services, or tracks the behaviour of EU citizens must abide by GDPR. In a global economy where the Internet has broken down many barriers, there is no escaping GDPR just because your business does not have a physical presence in the EU. If your customers are in the EU, then you better start reading up on GDPR.

3. We already have permission to market to our contact database, I don't need to ask them again.
Any marketer within a business that thinks this is, I'm afraid, delusional. The 'Double Opt-In' standard has been in force within Germany for some time, and now it's time for the rest of us to follow suit. Whilst this might seem like extra work, the upside is that it forces businesses to clean their contact database. The result will be two lists. One is the gold mine of engaged contacts that you can be sure want to receive more information from you. The other is a list of contacts that you should work hard to re-engage with or qualify them out.

4. I'm compliant! Now the ICO will leave me alone.
Technically yes, until you have a breach and then you'll be under the microscope. The key is auditability and being able to prove that you have taken every necessary step to protect your data from a breach. You also won't be able to sweep it under the carpet and hope no-one finds out. Under GDPR you must notify the ICO within 72 hours of becoming aware of a data breach.

5. I need to spend all my budget on cyber security.
Cyber-security gets all the headlines. I give you the WannaCry hack. However, data breaches can exist in the physical world too. 10 years ago, it seemed like every other week a USB drive or laptop with sensitive information was being left on a bus or tube train. Yes, invest in cyber defence, but also invest in encryption of your physical assets and the disposal of these assets. Many businesses use IT Asset Disposal companies (ITADs) to recycle old IT hardware, however it is believed that just 10% of ITADs will be able to provide the level of assurance and proof that will be required under GDPR, creating a potential gap that could be exploited in the end-phase of managing your data lifecycle.

For more information on where your business stands on all these myths and what you should be preparing for, visit the ICO website and read its Overview of GDPR.