Many of our members believe they are fully GDPR compliant but we thought it worth raising the GDPR myths that are still circulating over a year after GDPR came into force.
GDPR is just like Y2K
25th May 2018 came and went – just like 31st December 1999. Despite what many still believe, GDPR is not like the Y2K millennium bug. The requirement to prepare for it didn’t end on 25th May 2018, it began. GDPR compliance is a journey. Even if you were compliant on 25th May 2018, you may no longer be compliant. Your systems, practices and procedures need continual review to ensure that the data you hold and process remains appropriate, necessary and secure. The regulator and your clients are becoming ever more alert to privacy control.
I have a privacy notice, I’m compliant
It is still a widespread belief that having an up-to-date privacy notice on your website equals compliance with GDPR. This is just the start – along with paying your data protection fee to the ICO. You also need to put physical and cyber security measures in place, define policies and procedures around the handling of data in your organisation and train your staff in these, have processes in place for data breaches and subject access requests and ensure that the businesses you share data with are also compliant. And once you’ve done all of that, you need to make sure that all your data protection systems remain up-to-date and compliant over time as your team, the ways you work and the data you need change.
I’m not likely to have a breach
In the first 11 months after GDPR came into force, over 14,000 breaches were notified to the ICO. And according to a recent survey by the Department for Digital, Culture, Media & Sport, 32% of businesses identified cyber security breaches or attacks in the previous 12 months. Bear in mind that cyber-attacks represent only 16% of data breaches and you start to understand the scale of the problem. The question is when rather than if you have a breach.
GDPR doesn’t matter because of Brexit
Whilst the EU GDPR would no longer apply in the UK after a no deal Brexit, the UK Government has taken steps to ensure that data protection still works from day one – by basically creating a UK GDPR. It has stated that ‘the fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.’
Don’t take a risk
Our data protection partner Astrid offers a free compliance check – just create an account, go through to stage 1 of their process and take the quick GDPR test. To ensure that the public’s personal data and our members’ business are protected, the Society of Will Writers recommends you take up the 10% discount offer we have negotiated with Astrid for full access to the tools and guidance they provide to help small and medium sized businesses become and remain GDPR compliant.