Ever since GDPR came into the spotlight back in 2017, GDPR myths have started growing and circulating like wildfire. Well, as of May, GDPR is now in effect. As such, it’s crucial that all business owners know the ins and outs so that they can properly follow protocol. Failing to do so can lead to some hefty fines and penalties, so it’s best to avoid them. To help clear up the situation and dispel any mistruths, here are the top five GDPR myths… debunked!
1. “I use a third-party service provider, so GDPR isn’t my problem”
Many businesses nowadays use third party providers for a range of vital business services. For example, you might have a cloud service provider who is responsible for processing and holding the majority of your customer data. If this is the case, then you might be inclined to pass the buck and think that GDPR is their problem. Wrong!
The Information Commissioner’s Office, which is responsible for overseeing GDPR, has made it clear that it is the business’s responsibility to correctly and safely store data. If there are flaws in your partner’s systems that place data at risk, then you need to identify them. If it ever came to a case being brought against you, then this argument will not stick.
2. “My business is too small for the ICO to take an interest”
Not only is this wrong, it is also one of the most dangerous GDPR myths around. We hear a lot in the press about large companies mishandling or abusing data. Most recently, the Cambridge Analytica scandal which has led to Facebook making major changes to the way they use third-party data providers. However, it is not just large organisations that are being monitored closely.
Even as a small business, you have a responsibility to safely collect and store data and face exactly the same penalties as larger companies. You can be fined up to £17 million, or 4% of global turnover. Of course, the ICO will not be inclined to use such a fine for all misdemeanours. But they have made it clear that they will be randomly and periodically reviewing businesses of all sizes.
3. “GDPR will be gone soon, once we leave the EU”
This is one of the simplest GDPR myths to dispel. GDPR is here to stay. Yes, it’s true, the regulation has filtered through from EU law and that’s why it’s affecting the UK. However, even once Brexit goes ahead and we leave the EU, GDPR will not be vanishing. This is not some annoying regulation that the UK government has unknowingly had to accept because of “the rulemakers in Brussels”.
Instead, it has been widely welcomed by both UK policymakers and, more importantly, UK citizens. Data protection regulation has been gradually improved upon for decades now and this is simply the natural evolution to cope with the digital age in which we live. So, instead of simply trying to ignore GDPR until Brexit goes ahead, you should instead embrace it. If anything, the data protection regulation in the UK might be further enhanced once we leave the EU.
4. “Businesses must report all data breaches to the ICO”
One of the biggest upgrades that GDPR has brought is the focus on reporting breaches to the ICO. Under existing regulation, such reports were seen as encouraged, but not compulsory. But now, if a major breach occurs and individuals face risk as a result, then yes, you must legally report it. However, this doesn’t mean you need to report every single event.
If the breach is not seen as particularly serious and no individual is at risk as a result, then you don’t need to report it. If you’re interested in finding out more on what represents a high risk for your business and its customers, you should refer to the ICO’s website here. They offer a wealth of further information and can help you in deciding what exact steps your business should be taking.
5. “GDPR is going to drastically hurt my marketing efforts”
To finish with, let’s take a quick look at this outrageous GDPR myth which we hear most of all. First off, let’s look at why a business owner would believe this. Sure, collecting customer data is a vital part of marketing your business, and yes, with new regulation, you might find it harder to secure new subscribers and gather information. However, this is not the be-all and end-all.
Instead, you need to realise this one simple truth: it’s about quality, not quantity. Just because you have 1,000 names, emails and phone numbers of potential leads, it doesn’t mean you will generate a lot of sales. Instead, it depends on what quality those leads are, and whether they actually want to be marketed to.
By getting rid of things like auto opt-in forms, you’ll find that the quality of leads you generate are much higher than before. By giving clearer consent for you to hold their data, that individual is showing greater interest in you and your product. As such, you can then focus in more closely on each lead with a better confidence in converting them, rather than receiving angry responses from people who didn’t even know you held their data.
Shoring up your systems
Now that we’ve safely debunked these five GDPR myths, it’s time for you to take an honest look at your business. Have you been responsible for passing the buck and thinking that your systems don’t matter? Well, then it’s time to step things up. How about your attitude towards GDPR?
Have you been blaming it for a fall in leads and sales? Well, again, something needs to change from your end. GDPR should not be seen as a threat to your business. Rather, it can be an opportunity! Customers appreciate openness and security these days, so embrace GDPR rather than fight it.
At Anova, we have helped all of our clients to do exactly this by being open with them on how they collect data and how they can best make use of this opportunity. If GDPR still confuses you and you need help stepping up your defences, then feel free to contact our team. We are always happy to help more UK-based business owners looking to tackle and move forward with GDPR.