Blog: GDPR MythBusters – all your GDPR questions answered

GDPR will go away with Brexit

WRONG GDPR is a UK bill embedded into the UK law system and it is here to stay.  Brexit will have NO effect on GDPR.  The new Data Protection Regulations will remain and will still be applicable even after leaving the EU.

Subject Access Requests can be ignored

WRONG Not addressing a Subject Access Request (SAR) correctly and within the correct timeframe is a criminal offence which carries heavy fines and possible prison time.  Small businesses should ensure that they have adequate processes in place to full fill all types of SARs within the required timeframe.

I’m a small business the ICO is not interested in me.

WRONG It is true that currently the ICO is focusing on large organisations, but it has recruited heavily in the last 12 months and soon will shift its focus on small businesses.  Small businesses should focus on getting themselves as compliant as possible while there is still time.

I must have the consent of the data subject before I can process any of their data

WRONG Consent is merely one of the six lawful bases for processing personal data (set out in Article 6 of the GDPR). Businesses can process only the personal data they actually need (without consent) in order to perform a contract with the data subject (or to enter into a contract with the data subject) or to pursue their legitimate interests (provided that does not override the individual’s right to privacy).

GDPR does not apply to us because we only process personal data of business contacts in B2B contracts

WRONG Performance of any sale, supply or service contract will, fundamentally, involve the engagement of, and correspondence with individual staff at those contracting organisations, which will contain names and contact details (at the very least). This data must be processed fairly, in a transparent manner, kept up-to-date and appropriately secured and deleted when it is no longer needed (not retained indefinitely). Businesses should still have updated privacy policies, standard terms and conditions or supplier contracts, and internal policies for staff to implement their obligations to protect personal data.

GDPR does not apply to an individual’s business email addresses and telephone number

WRONG A business email address or telephone number that relates to an individual (i.e. not an office switchboard or reception desk number) is personal data relating to that individual, not the company. This is the case even if the email address is publicly available on a website. GDPR will apply to any processing of this personal data and procedures will need to be followed before it is processed.

Employers don’t need to review anything in relation to staff data because they need to process it

WRONG Processing personal data (including special category data, such as medical records) because it is required to perform an employment contract is a lawful bases for processing (under Article 9), but it requires complete and transparent adherence to the principles under Article 5. This means, all staff have the right to know how their personal data is processed, at the time it is collected. Employers should, therefore, produce a sufficiently detailed, accurate privacy notice (that sets out, as a minimum, what data they need, how they store it, which third parties process it on their behalf and how long they retain it) and issue this to all staff, which may require and prompt them to review how they process their staff data and what they communicate to staff. Staff can be required to sign, date and return copies for internal record keeping.

I don’t need to do anything where I send marketing communications with other information

WRONG Many organisations shoe-horn electronic marketing information into their invoicing process, customer feedback or usage guides. The basic rule is that you cannot market to customers unless you have their permission to do so (e.g. by email, over the phone or by online tick box).

The one limited exception to this is where you have previously sold products or services to them and wish to advise them of related products or services (i.e. on a “you’ve dealt with us before, why not again” basis only), and you contact them using only the contact details you first obtained. These practices will not (in most circumstances) successfully bypass the marketing consent rules. If you have not yet revised your marketing consent processes or segregated your marketing databases between those that have opted-in or opted-out, do not delay in doing so. The ICO has highlighted breach of marketing consent rules as a particular area of focus for enforcement as GDPR beds down.

CVG Solutions has developed a program specifically to support small businesses in identifying gaps and support them in becoming compliant by providing expertise, off the shelf processes, procedures and policies which can be tailored to suit.  We are not here to catch you out, we are here to support you!