The General Data Protection Regulation (GDPR) was introduced in May 2018 to enhance data protection regulations and ensure that companies lawfully handle personal data. Despite the regulation being in place for a few years, many UK companies still believe in common myths about GDPR that can lead to costly mistakes. In this article, we will debunk four GDPR myths that UK companies must avoid.

Myth #1: A Website Privacy Policy Template Is Sufficient for Compliance

One common myth among UK companies is that having a template privacy policy on their website is sufficient to comply with GDPR. While it is true that a privacy policy is an essential part of GDPR compliance, simply copying a template may not be enough. The GDPR requires businesses to provide clear and concise information about the personal data they collect, how it is used, and who it is shared with. Companies need to tailor their privacy policy to their specific data processing activities.

To ensure compliance, companies should conduct a thorough data protection impact assessment (DPIA) and ensure that their privacy policy reflects the results of this assessment. A DPIA is a process that helps businesses identify and minimize the risks associated with processing personal data. By conducting a DPIA, companies can identify the personal data they collect and process, assess the risks associated with this data, and put in place measures to mitigate these risks.

Myth #2: GDPR Is Only Applicable to Written Information

Some UK companies believe GDPR only applies to written information, such as documents and emails. However, GDPR applies to all forms of personal data, including digital data, images, and videos. This means that companies must ensure that all personal data they collect and process is done in compliance with GDPR.

Companies should identify all personal data they collect and process, including data that may be held on third-party platforms or in the cloud. They should also ensure that they have appropriate measures to protect personal data from unauthorized access, disclosure, and misuse. This includes implementing technical and organizational measures to protect personal data, such as encryption and access controls.

Myth #3: The ICO Is Unlikely to Fine Businesses

Another myth among UK companies is that the Information Commissioner’s Office (ICO) will unlikely fine them for GDPR breaches. However, this is not true. The ICO has the power to issue fines of up to €20 million or four per cent of a company’s global turnover, whichever is higher. The ICO has already issued significant fines to companies for GDPR breaches, which are expected to increase.

To avoid fines, UK companies should take GDPR compliance seriously and ensure appropriate data protection measures are in place. This includes conducting regular employee data protection training, implementing data protection policies and procedures, and ensuring that personal data is processed lawfully, fairly, and transparently.

Myth #4: The ICO Sets Large Fines for Big Businesses Only

Finally, some UK companies believe that the ICO only issues huge fines to large companies. However, this is not true. The ICO has issued fines to companies of all sizes for GDPR breaches. While larger companies may be more likely to attract media attention when they receive a fine, small and medium-sized businesses are just as likely to be fined for GDPR breaches.

To avoid fines, UK companies of all sizes should take GDPR compliance seriously and ensure appropriate data protection measures are in place. This includes conducting regular employee data protection training, implementing data protection policies and procedures, and ensuring that personal data is processed lawfully, fairly, and transparently.

Conclusion

UK companies must be aware of these four GDPR myths to avoid costly mistakes. Compliance with GDPR is essential for all companies that collect and process personal data. By ensuring that they have appropriate data protection measures in place and conducting regular data protection training for employees, companies can avoid fines and protect their reputation. 

Briefed is a team of barristers that provide legal advice to businesses to ensure compliance with existing regulations and laws. Our barristers are highly experienced in helping companies stay compliant and achieve their business objectives. We provide guidance and support in all areas of regulation, including GDPR legal compliance. Contact us to find out how we can help!