The General Data Protection Regulation (GDPR) has been in place since May 2018 – but there are still many businesses that are confused about issues surrounding compliance. Make sure that your business is not making any of the seven common GDPR mistakes listed below.
- Assuming that the size of business makes a difference
If you have a very small business, you might still assume that the GDPR does not apply to you. The answer to this is simple: any organisation that processes the personal data of EU citizens, needs to be compliant with the GDPR.
- Allowing Brexit to confuse the issue
There are still some businesses that assume that if Brexit goes ahead as planned, UK businesses will no longer be required to follow EU laws, and therefore there is no need for them to spend time and money on becoming GDPR compliant. However, this is a serious mistake.
Firstly, even after Brexit, any company that continues to process the personal data of any EU citizen (so, if you sell to customers in the EU), will need to follow the GDPR. And, perhaps more crucially, the UK government has chosen to transpose the GDPR rules directly in UK law under the Data Protection Act, so Brexit will have no effect on the law.
- Failing to appoint an Article 27 representative
There are some things that many businesses don’t even realise are an essential part of being compliant with the GDPR. For example, if your business is not based within the EU then you are required under Article 27 to appoint a representative for your business which holds your EU-based data and can act as a point of contact for EU authorities.
It might seem like only a small issue, but failing to appoint an Article 27 representative can allow you to be punished under the first tier of administrative fines. This fine could be as high as €10 million or 2 per cent of global turnover.
- Thinking online data is the only issue
Yes, it is certainly true that businesses have had to make major improvements and upgrades to their cyber security as a part of becoming GDPR compliant. But this had led to something of a misconception that only the data that is stored on computers falls under the remit of the GDPR, and therefore this is the only thing you need to be concerned about.
The truth is that all personal data recorded or processed by an organisation is covered by the GDPR. This means that if you store data offline, you need to ensure that it is processed and managed in a way that is fully compliant.
- Forgetting about the personal data of staff
The GDPR covers the personal data of all EU citizens, and many businesses spend a lot of time changing over processes and systems in order to ensure that the personal information of their customers is stored and processed in a way that is in full compliance with the regulations as they stand.
However, when the GDPR talks about the data of all citizens – it really does mean all. Don’t forget about your internal systems for tracking and processing the data of staff. These also need to be in compliance with the GDPR.
- Leaving it to one department
There is common problem that a business will believe that compliance with the GDPR can be left to a single department – usually the IT department. While, of course, many of the key changes do need to be managed by the IT department, the GDPR affects many different areas of the business, and it is important that members of staff all levels of the organisation take an active involvement.
All staff need to be provided with training in order to understand how the GDPR affects them and customers. Leaving the IT team to manage the GDPR will also overwhelm them.
- Using the regulation as a guide
As with the majority of regulations set down, the GDPR makes it clear what you must achieve – but it doesn’t provide you with a blueprint for how you are going to do it. Some companies are still making the mistake of focusing solely on the apparent requirements without thinking about how they apply to their business specifically. That’s why many organisations are choosing to work with GDPR specialists to ensure that they are in full compliance.