If you’ve been taking an interest in GDPR (General Data Protection Regulation), then you’ll know the deadline for compliance isn’t too far away. But even if you feel like you’ve got it sussed, you might have been misled by some of the GDPR myths and misconceptions that have been floating around about this major piece of legislation.
That’s not a position you’ll want to remain in, considering that fines for breaking the rules could be up to 4% of annual turnover.
And, of course, if you know nothing about GDPR at all, then it’s even more vital for you to start taking an interest. It is, after all, the future of your business that’s at stake.
Surely the EU and the British government wouldn’t just dump this new legislation on us without some kind of grace period, right?
The good news is no, they wouldn’t. The bad news is that you’re already in it. GDPR actually came into force on 14th April 2016, so we’ve already had over a year and a half to prepare. When the deadline rolls around on 25th May 2018, that’s it – you have to be ready.
One of the most widespread bits of misinformation about GDPR, there is a whiff of truth to this. There are a couple of limited exemptions for organisations with fewer than 250 employees, but they only apply in certain circumstances, and even then only in relation to how data processing activities are recorded.
If you’d like to read the rule in full, you can find it in point five of article 30 of the legislation. If, however, the idea of wading through paragraphs of legalese leaves you cold (like it does most people), allow us to summarise.
Under GDPR, you have to keep a record of your data processing activities, including details about the data controller, your reason for processing the data, a description of what it includes, how long it will be kept and so on.
If you have fewer than 250 employees, though, you might not have to do this. However, that’s only true if the processing is occasional, doesn’t put the data subject’s rights or freedoms at risk and doesn’t include special category content (like racial, political or genetic information) or data related to criminal convictions or offences.
In short, even if some data does qualify for these exemptions, you’ll still have to comply with practically every other aspect of GDPR.
Contrary to what some people believe, a data protection officer (DPO) is not necessarily compulsory. According to the Federation of Small Businesses, “The designation of a DPO is not mandated according to company size, but rather the type of data processing.”
For example, any organisation, regardless of size, that is a public authority must have a DPO. Also, if data is processed regularly on a large scale or if special category data is included, then a DPO will likely be necessary.
Ultimately, you may need to consult a legal expert to make the right decision here, but there’s every chance you won’t need to a hire someone for this position. You might, however, need to outsource the job to an external supplier.
As we said in a previous blog post, Brexit means very little for the future of GDPR. Going through parliament right now is the Data Protection Bill, which will eventually replace GDPR when Britain leaves the EU. What this does, essentially, is to transpose GDPR to UK law. There are a few small differences, but the nuts and bolts are basically the same. That means all businesses in the UK will have to comply – or face the same kind of fines as everyone else in Europe.
Still confused about GDPR? TMB is planning to hold a series of free GDPR seminars early next year, explaining the essentials. To register your interest, drop us a line at info@tmb.co.uk.
In the meantime, if you'd like assistance with getting GDPR compliant, fill out our contact form or give us a call on 0333 900 9050.