There are a lot of myths surrounding data protection, which has led to people having inaccurate expectations about what is required to be compliant with the regulations. With GDPR now such a prominent issue, here are some of the most common expectations and the reality of the situation that companies should be aware of.
Data Protection is an Unnecessary Burden on Businesses
The regulations regarding data protection do require organisations to take more accountability for how they collect, share and store personal data, which can lead to the notion that it’s time-consuming and burdensome. But data protection regulations are simply built on foundations that have already been in place for the past 20 years. If your business is compliant with Data Protection Act terms and there is an effective data governance programme already in place, then you’re already in a good position to comply with GDPR. Many of the fundamental aspects of GDPR are the same as they always have been, so it’s just about taking time to consider transparency, accuracy and security measures.
Privacy Policies Need to be Extended
Many people are of the opinion that in order to be compliant with data protection and privacy rulings, they need to write a long, in-depth privacy page but the reality is that the opposite it true. Privacy pages that are complex and use legal jargon are actually not compliant and the new GDPR ruling requires that information addressing the public or the data subject needs to be concise and easy to understand. Make sure that the language used is something that everyone can follow and that it avoids lengthy sentences that are too detailed – in this situation, the simpler the better.
It Will Be Expensive for Organisations Who are Fined
Business owners believe that GDPR is all about fining organisations who don’t meet the requirements, but that’s not what the law is for. GDPR and data protection is about putting consumers first and ensuring that companies aren’t able to abuse personal information access. It’s true that under GDPR, there is the power to fine companies as much as £17 million or 4% of turnover but there’s also a lot of scaremongering which makes it seem as though fines are the norm. Providing that companies comply with the requirements of GDPR, there should be no concern.
All Personal Data Can Be Treated the Same GDPR outlines a range of types of sensitive data which are prohibited from being processed, which are considered separate from general data, including personal data that reveals racial or ethnic origin, political opinions and data concerning sexual orientation. If your business collects or handles data of this type, there could be additional requirements for the privilege of doing so. As an organisation, it’s important that those responsible for collecting or dealing with data are aware of the differences between data types and are trained to be able to know how best to deal with the varying levels of security and care needed.