Beware of scams

We are aware of scams coming from email and social media where people try to impersonate us. We will never ask you for money or your bank details. Learn more about what to look out for and how to protect yourself.

You are here:

11 myths about GDPR

← Back to Business Guidance

There are a lot of myths circulating about the impact of the EU General Data Protection Regulation (GDPR). This is understandable as it’s a complicated subject.

But believing these myths is no excuse for not abiding by the regulations set out by GDPR. Indeed, some of these common myths could land you in hot water.

1. My business is too small for GDPR to apply
2. You must be 100% GDPR compliant on the 25th May 2018
3. GDPR only affects businesses in Europe
4. Brexit means UK firms don’t need to worry about GDPR
5. GDPR only applies to data customers give me
6. You must have consent to process personal data
7. You don’t need consent to process personal data
8. You must get ‘double opt-in’ from customers for email newsletter signups
9. Everyone needs a Data Protection Officer
10. The biggest threat to businesses is huge fines from GDPR
11. All personal data breaches will need to be reported to the ICO

Let’s take a look at some of the most common myths and misunderstandings about GDPR.

 

1. My business is too small for GDPR to apply

Sorry everyone, there’s no such thing as being too small for data protection. If you’re collecting or processing personally identifiable information about customers or individuals, no matter how small your operation may be, GDPR applies to you.

 

2. You must be 100% GDPR compliant on the 25th May 2018

Whilst GDPR will be enforced from the 25th of May 2018, the Information Commissioner’s Office have stated that they expect GDPR to be a journey that continues after May 25th.

What this means is that the ICO do not expect everyone to have perfectly installed GDPR into their business by the 25th May. Instead, it will be an ongoing journey where businesses identify new challenges and address them. Business must be able to show that they have the foundations of accountability in place, and demonstrate willing to work with the ICO to resolve any issues.

“We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR… Those who self-report, who engage with [the ICO] to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”

Elizabeth Denham, Information Commissioner, ICO

At the end of the day, there has been a two year grace period for businesses to get their act together, and the ICO will be enforcing the legislation from the 25th May 2018. So whilst a small infraction may be something you can work with the ICO to resolve, don’t expect them to go lightly on you should something bigger arise.

 

3. GDPR only affects businesses in Europe

Fortunately for European consumers, the majority of firms that wish to provide goods or services to Europeans will need to comply with GDPR. This is the case regardless of where a company is based and where the personal data of their European customers is stored.

 

4. Brexit means UK firms don’t need to worry about GDPR

For the moment the UK is bound by GDPR legislation as it will come into force before the UK leaves the EU. But, that doesn’t mean GDPR will disappear when the UK eventually leaves.

The UK government have aired their commitment to maintaining strong links with Europe when it comes to data. Services is one of the UK’s largest sectors, and depends for much of its work on the collection and analysis of data. If the UK wants to continue providing services as well as goods to Europe, it will need to maintain legislation very similar to GDPR.

 

5. GDPR only applies to data customers give me

GDPR applies to any personally identifiable information, whether given to you by a customer or individual, or collected without their explicit consent. For example, if you’re collecting data through advertising or website analytics and you’re not anonymising it – perhaps you’re recording the customer’s IP internet address – then you are capturing data covered by GDPR. It’s worth remembering that GDPR applies to any personal information you collect about individuals, whether customers, employees or anyone else.

 

This myth has grown from the media’s fixation on how recording consent is changing with GDPR. For example, businesses can no longer use an opt-out policy when it comes to consent – such as a pre-ticked box on a website form.

But this is simply about improving the basis businesses have for consent.

This does not mean that securing explicit consent from customers is the ultimate goal for businesses. Consent only matters if your basis for using customer data is built on consent.

There are a number of other ways you can lawfully justify the use of customer data that do not require explicit consent from a customer. The legislation lists six principles of lawfulness, which we’ve looked at here, all of which can provide a basis for legitimately processing customer information.

 

A complete contrast to the myth above, but some people seem to think that the concept of ‘legitimate interest’ in the GDPR framework means that they do not need to get customer consent in order to process their data.

But as with the ‘you must have consent’ myth, it’s actually partially right.

Legitimate interest allows businesses to lawfully process personal data where there is a need by the business to do so for either legal, contractual or public interest reasons. If your use of personal data does not fit the requirements for Legitimate Interest, you should be using one of the other six principles as the basis for your data use.

 

8. You must get ‘double opt-in’ from customers for email newsletter signups

If you don’t already know, a double opt-in is when you sign up for something and you’re then asked to confirm this subscription. For example, if you sign up to receive news alerts via email from a website, a double opt-in will mean you receive an email asking you to confirm your subscription.

Under GDPR, this is not a requirement. A number of websites and commentators have said that double opt-in is required to satisfy GDPR’s need for proven explicit consent. But this is not the case. So long as you can show that a user had to opt-in when they first submit (or you record) their data, and that the wording of the opt-in is clear and accurate, you should be fine.

On a side note, there are lots of good reasons to use a double opt-in anyway: it can stop spam; users who complete the double opt-in are often more likely to convert into a sale.

 

9. Everyone needs a Data Protection Officer

The good news for small businesses is that not every business requires a Data Protection Officer. You will only be required to appoint a Data Protection Officer if you are a public authority; you engage in large scale systematic monitoring of customers and individuals; or your organisation processes a large volume of sensitive personal data about individuals or customers.

 

10. The biggest threat to businesses is huge fines from GDPR

Despite some of the scaremongering headlines, the point of GDPR is not to fine companies: it is to protect citizens of the EU.

Yes, fines handed out by the ICO, currently limited to £500k, under GDPR could reach a limit of €20million or 4% of a firm’s turnover. But the history of the ICO, and their various statements, suggest they are not out to fine companies, let alone for small infringements as some news stories have claimed.

Now, you might think that this is exactly the sort of thing the ICO would say. But if we look at the ICO’s track record, we can get some context. In the 2016/17 financial year the ICO concluded over 17,000 cases. Only 16 resulted in fines.

“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

Elizabeth Denham, Information Commissioner, ICO

11. All personal data breaches will need to be reported to the ICO

This is not strictly true, though there are certainly instances when the ICO should be notified of a data breach. Current British law makes the reporting of most personal data breaches best practice rather than compulsory.

Under GDPR, whilst not all data breaches will need to be reported, any breach that is likely to result in a risk to people’s rights or freedoms must be reported to the ICO.

Also, contrary to some people’s beliefs, the requirement that businesses report data breaches that pose a threat to the freedoms and rights of people is not about punishing organisations. These laws are designed to make protecting customers and their data a priority for firms.

 

Want more information on GDPR?

If you would like more information about GDPR you can visit our Legal & HR advice hub which has a number of articles about GDPR, you can claim a free 15 minute GDPR consultation with legal services provider Lawbite, or you can contact the ICO’s GDPR hotline for SMEs on 0303 123 1113. Watch the video below for more information.

 

Reference to any organisation, business and event on this page does not constitute an endorsement or recommendation from the British Business Bank or the UK Government. Whilst we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.

Feeling Inspired?

Register