Recently it has been impossible to miss news about GDPR: the biggest change in how the world deals with data in generations. However, there is a huge amount of confusion and misinformation out there.

You may be asking yourself “do I need to delete my data?”, “do I have to stop emailing people?” or even, “does GDPR mean I can’t use cloud services?”

So what is myth and what is fact in the brave new world of the GDPR.

Myth 1: GDPR is designed to stop marketing activity: FALSE.

GDPR creates rights for EU citizens.  Business can still use personal data; they just need to do so in compliance with the law.

Myth 2: Everyone needs to get consent before sending more emails: FALSE.

You will no doubt have seen major household brands emailing you for consent to continue contacting you.  Yet consent is just one of the legal bases for contacting people.  In other words, many have got this wrong.  You may well be able to avoid the need for taking the drastic step of re-consenting by finding another legal basis for the contact.

Myth 3: I can just rely on “Legitimate Interest” as a justification for my activity: FALSE.

Legitimate interest relies upon a balancing test.  If you are going to rely on this you need to have a policy setting out how the test will be run, actually run the test each time you intend to rely upon it and document the outcome.  Legitimate interest will actually prohibit you from undertaking certain activity.

Myth 4: I don’t sell data therefore I don’t need to worry about data transfers: FALSE.

Do you rely on cloud services, external payroll, email marketing companies, or any other third party who may have access to personal data?  If you do, this will be a transfer under the act and you will need to satisfy the requirements for a transfer.  Make sure you have conducted a data mapping exercise to identify data flows and transfers.

Myth 5: If someone sends me data it is their responsibility to make sure it is “clean”: FALSE.

In any data transfer both the recipient and disclosing party have responsibilities and potential liabilities.

Myth 6: I’m not going to make the 25 May 2018 deadline so there is no point trying: FALSE

The 25 of May is the start, not the end.  Big cultural change will be required across every organisation from the 25 May 2018 onwards.

Myth 7: This is an HR or IT issue only: FALSE.

Compliance requires a joined up approach from legal, marketing, HR and IT.  Anyone who tells you that any one of these disciplines alone can make you compliant has misunderstood.

Myth 8: Brexit will change things: FALSE.

Myth 9: I can’t transfer data outside the EEA: FALSE

You can transfer data outside the EEA but there are certain requirements you must meet before you do.

Myth 10: I don’t sell to consumers so I don’t need to worry about this: FALSE

The legislation applies to all personal data, including that concerning employees, business referers and clients.            

Ben Travers is head of intellectual property and IT at Stephens Scown LLP. The firm has a team of data protection specialists and offers a range of fixed fee solutions from light support to completing a full GDPR review. To contact Ben, please call 01872 265100, email solicitors@stephens-scown.co.uk or visit www.stephens-scown.co.uk