Bari Pollard

GDPR 12 Months on

The General Data Protection Regulation (GDPR) came into force in May 2018, and by the letter of the law, virtually every business in the UK needs to comply with it. However, there are still some misconceptions surrounding the law and what it means to organisations. This can lead to difficult situations where mistakes can be made.

Complying with the GDPR is not optional – it is a legal requirement for any organisation that does business with EU clients, customers, partners or suppliers. If you are concerned that you don’t understand the GDPR and aren’t sure if your business is fully compliant, it is worth consulting with experts. Getting compliance right will help you avoid the risk of large fines and give your business added security.

Myth 1 - The large fines are just a threat.

France’s data protection agency, CNIL, fined Google €50 million. It seems Google was not complying with a key part of the regulations and had failed to provide information to their customers about how their data was being used. However some smaller companies have been fined using GDPR across Europe that are more interesting.

Some early fines -

Marriot Intention to fine £99 Million -

BA Intention to fine £183.39 Million -

Myth 2 - The GDPR won’t apply to the UK after Brexit.

However, it is important to note that the UK transposed all of the rules of the GDPR into the Data Protection Act 2018. This means that UK businesses will have exactly the same compliance requirements after Brexit as they did before. Additionally, it should be noted that any British business that has dealings with EU citizens will still need to comply with the GDPR directly.

It's worth checking this - The 3 steps to prepare your data for Brexit -

Myth 3 - Once you are compliant you can stop worrying

You might assume that as soon as your business is GDPR compliant, you can simply forget about the issue and go back to business as usual. But it is important to note that complying with the GDPR is actually an ongoing process rather than something that you achieve forever. Businesses need to ensure that they are taking regular steps to keep personal data secure. Ask yourself; what projects have started recently, have I done a Data Impact Assessment, is my data privacy statement still correct?

Myth 4 - Consent must be explicitly obtained

Some organisations believed – and continue to believe – that consent needs to be explicitly gained. However, this misses the fact that businesses can utilise a clause in the GDPR that allows organizations to contact individuals if there is legitimate interest from the individual. For example, if you are a membership organisation you have a legitimate interest to contact your clients around their membership. However you don't have consent to contact them around fundraising unless you have asked for it.

Further Information

As always the Information Commissioner's Office is the place to go for further information around GDPR and Data Protection -