The General Data Protection Regulation (GDPR) came into force in May 2018 and businesses across the UK have been forced to change their systems and working practices in order to comply. However, it is still the case that a large number of organizations are making mistakes in their efforts to comply with the rules. Here we take a look at some of the biggest GDPR compliance mistakes British businesses are currently making and provide insight into how you can avoid them.
Mistake: Assuming there’s no need to worry about the GDPR with Brexit on the horizon
Some businesses still assume that Brexit will mean a major overhaul for rules and regulations across the country, and therefore there is no need to worry about the GDPR as it is a European regulation. However, this is a misunderstanding of the situation as it currently stands. While the GDPR is an EU regulation that applies to EU businesses, the rules were transposed into British law as the Data Protection Act 2018.
Functionally this means that regardless of the outcome of Brexit, these are the rules that now need to be followed by British businesses. Therefore, if your business currently doesn’t comply with the GDPR, you are not only in breach of EU regulations but British ones too.
Mistake: You don’t have an Article 27 representative in Europe
One of the most overlooked issues in compliance with the GDPR is the need for a representative in the EU. Businesses are required to appoint a representative on privacy issues who can be contacted by clients, customers and regulatory authorities inside the EU. Set down in Article 27 of the GDPR, if a business has customers or clients in the EU, having a representative is obligatory.
“Many businesses simply don’t realize that having an EU representative isn’t optional – it’s a legal requirement. If a British business has customers, partners or clients in the EU, appointing a representative is an important step in complying with the law, avoiding fines and being GDPR compliant”. Flor McCarthy, MD, Article 27 Representatives EU Business Partners.
Mistake: Making GDPR compliance an issue purely for the IT team
It has been a common issue that businesses have learned that the GDPR consists of rules and regulations around data management, and have simply seen it as an issue that can be dealt with by their IT team. Of course, the IT team has a key role to play, but it is not the only party that needs to take an active involvement.
Taking this approach not only puts a huge amount of pressure on the IT team, but it also neglects the fact that the GDPR will affect a huge range of aspects in your business. In order to prepare adequately for GDPR compliance, you need to coordinate an audit across your whole organization.
Companies can see the GDPR as an opportunity rather than a problem. It is a chance to re-think systems and re-train staff on the correct data management processes. Everyone in the business needs to understand their responsibilities under the GDPR – this means getting the whole company involved in the work.
Mistake: Thinking that current data management processes remain valid
It can be easy for businesses to assume that because their data management has been handled correctly in the past, and that they have never had any problem with breaches or data loss, that they do not need to make any major improvements. However, this is a very dangerous assumption to make as the GDPR has brought in huge legislative changes. It is unlikely that your previous system fully complies with the GDPR.
There are numerous new elements introduced such as the right to be forgotten – which gives any individual whose data you have recorded the right to ask you to remove their data, which you must comply with. It is also a requirement that individuals who have had their data stolen during a breach have a right to be informed within 72 hours.
Is your current system capable of handling these issues? There are many others too and failing to comply with any one of them can put you in breach of the GDPR. If you have any concerns about your business complying with the GDPR it is a good idea to consult with experts.
About the author: Mike James is an experienced business writer specializing in HR, tech, and cybersecurity. On the latter, he has contributed to many of the leading publications both online and in print – such as StaySafeOnline, GlobalSign, Tech London and more.