Now that the GDPR has been implemented and the 25th May deadline has passed, you’ll have noticed a lot less chatter about it online and in your inbox. But it’s more than likely that you are still working on fully understanding what it means for you and your business. As a professional virtual assistant service, we manage both our own data as well as data that belongs to our clients. This experience means that we have developed a good understanding of the rules, which made us think that it would be a good idea to bust some GDPR myths.
1. It doesn’t apply to SMEs
GDPR applies to every organisation within the EU (and even those outside the EU selling goods and services in the EU). It does not matter what size or type of organisation you are. Every business from sole traders and small charities to international businesses must make sure that they have the processes and procedures in place that ensures their organisation complies with the regulations. There’s no need to panic though – there is plenty of good GDPR advice available to help you get it right.
2. It’s more trouble than it’s worth
It may certainly seem, on the face of it, that GDPR is a time-consuming and costly exercise. For some businesses, it definitely is. But the central point of the regulations is to protect the privacy and rights of individuals. That’s a collective responsibility, so whilst you are putting yourself out to comply, don’t forget that all the companies that hold your own personal data are doing the same thing – to protect your privacy. And in the end, it means you’ll only be collecting the data of people who are genuinely interested in your business – and that makes your contact list considerably more valuable than it was before. It also means that when you share that data – to a dedicated virtual assistant for example – you know it is a valid and secure list that complies with the regulations.
3. You have to ask everyone for consent
No. You only need to ask for specific consent where you are relying on ‘consent’ as the legal basis for using the data. It is important to note that there are six reasons (legal bases) which you can use as your basis to collect and retain data consent is just one of them and may not always be the most relevant. Sometimes you may have no option but to use consent as your legal basis and there is no escaping the fact that you may lose some of your list when you ask for re-consent, but that shouldn’t stop you doing it. Under the consent rules, you should only be holding the data of people who have given you “clear, affirmative action” to do so. This means that it must be a positive action and you can’t rely on any passive or implied consent. Any contacts you have where you cannot show that affirmative action or confirmation will have to be removed from your list
4. I’m going to get a huge fine if I don’t comply. I can’t afford that
It’s absolutely true that the Information Commissioner’s Office (ICO) has the power to impose very large fines on companies who breach the regulations. But this is not a one-size-fits-all punishment, and the ICO is not on a hunt for non-compliance. It’s likely that the largest fines will be for those international companies who fail to secure or protect their data. Smaller businesses may fall foul of the regulations, but the ICO is unlikely to impose such punitive fines that you go out of business, unless the breach is extremely serious. The ICO has a range of enforcement powers and has already publically stated that it will seek to educate and issue warnings before resorting to drastic fines.
5. I have to appoint a Data Protection Officer
Some organisations will need to appoint a Data Protection Officer. This is either where the organisation is a public authority or where managing sensitive data is a significant part of the day-to-day operations of the organisation. It is not a requirement of the regulations that every business has to appoint a Data Protection Officer and there are many reasons why small businesses would not want to do so. In most small businesses, the responsibility for data protection compliance will lie with the business owner. The GDPR sets out the circumstances where a Data Protection Officer is mandatory requirement
- Where the processing of personal data is done by a public authority, except for courts or independent judicial authorities
- when acting in their judicial capacity
- Large scale regular monitoring
- Large scale processing of “special categories of data”
Special categories of data is defined under GDPR as covering health records, genetic data/biometric data, data concerning a person’s sex life or sexual orientation or any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs. However for the requirement to appoint a Data Protection Officer to apply to your organisation it would need to be more than just collecting some of this information from your employees in the course of being an employer and you would need to be processing this type of data on a large scale basis as part of your organisation’s activities.
6. We won’t need to comply because of Brexit
The UK government understands the importance of protecting individual privacy. The UK is currently still a member of the EU, and so the regulations currently apply to all organisations in the UK without exception. The government has proposed at Data Protection Bill which is currently passing through parliament. This is largely based on GDPR and the UK has signalled its intention to modernise data protection laws in the UK once it has separated from the EU.
7. Even data processors have big responsibilities
GDPR does put some obligations on data processors, but the ultimate responsibility for the security and use of the data lies with the data controller. This applies in circumstances including where the data processor is an outsourced resource like a full-time virtual assistant. In the case of outsourcing, it should be made clear in the contract what responsibilities are taken and when.
8. I will have to report my business to the ICO if something goes wrong
It’s important that you have a procedure that allows you to quickly identify, report and investigate a breach of the data you hold. You are required to report to the ICO the details and circumstances of a data breach if your breach is likely to “result in a risk to the rights and freedoms of individuals” which includes a loss of confidential information, or information which puts the individual at risk of discrimination. If this does apply the ICO must be given information within 72 hours of the breach being discovered. Depending on the facts and circumstances of the breach you may also need to inform all the affected data subjects.
9. I won’t be able to keep data for as long as I’d like to
No business should retain personal data if it no longer has a need for that data. The regulations do not specify a time-frame for keeping the data – if you still need the data for any of the reasons set out in the regulations, you may keep it, as long as it is secure and you have a procedure in place for retaining it safely and removing contacts from it if they ask you to do so. This doesn’t apply to general company information, which would not be classed as personal data (and therefore not subject to GDPR) because it cannot be used to identify an individual.
Help with GDPR from your virtual assistant
Managing client data is part and parcel of the everyday work of a virtual assistant, so you should expect them to be up-to-date and completely compliant already. This also means that they are a great source of help when you are making sure you are doing exactly what you need to do. If you need help with getting GDPR straight for your business or would like to know about any of our virtual business support services, feel free to call us on 0800 994 9016 or click here to request a free consultation.