Are you making these common GDPR mistakes?
GDPRs never going to be simple, but unfortunately getting it wrong can lead to penalties and fines!
Even the most experienced Data Experts can make mistakes, so it’s always good to be in the know about what the most common, yet easily fixable, mistakes are.
Here are the five most common GDPR mistakes that we’ve seen (and how you can avoid them).
1. Compliant on paper, but not in practice.
2. Party for One.
This is a difficult one for companies but having one person solely in charge of all of your GPDR, data protection and sometimes IT services can for many be too much. You want to make sure that your data protection officers can be focussed on making sure you’re meeting the data protection guidelines for your country, without having to worry about other IT related services too! If you can, it’s best to have a team handling all of the different data protection needs of your business. Budgeting for a small, but skilful team is much more cost-effective than being landed with a huge fine from the ICO, and you can rest assured that your data needs are being taken care off. Managing data is a multi-skilled operation, so having a team is the best way to ensure there are no unturned stones in your GPDR preparedness.
3. Thinking Small
You may have followed the GDPR for your customer’s data to a high standard, follow all of the protocols and checked every box. But, what about your staff’s personal data? Or resumes from potential hires? Are these just stored in a big file that anyone could open? When it comes to GDPR you need to make sure you’ve thought through all the data you may need to manage. We’d recommend taking the time to write down all the types of data your company may use or receive and ensuring you have included these in your GDPR documentation. Taking ten minutes to do this now could have a huge fine or penalty later down the road!
4. 72 Hours
Nightmare: You’ve woken up in the morning to find that your company has become infiltrated overnight, and hackers have stolen the personal data of hundreds of customers and staff. While it would be tempting to bury your head in the safety of the duvet, you have to act fast. Upon learning of a breach, you must notify the Information Commissioner’s Office (ICO), as well as all of the affected users. All organisations have to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. This is actually quite a serious mistake that countless small and big business make, so be sure to read the ICO guidance on this to ensure you won’t be waking up to the same nightmare.
You’re aware you have to get started on your GPDR documents, but you’re not sure how, or why, and frankly you have lots more important thing to do, especially now! This may sound like a good excuse to you, but it definitely will not work with the ICO and your Data Protection Authority. Quite simply, you cannot delay starting your GDPR. We understand that it can be a daunting task to many, which is why we at GDPRlocal are here to help.
If you are new to GDPR, we suggest you start by getting your free GDPRlocal account by clicking here and take a look at the free downloads. These documents will help you understand what you need to do.
If you have questions about getting your GDPR started or anything we’ve highlighted today, drop us an email at adam@GDPRlocal.com, or call us at 01772 217800 and we can give you a hand.
Good luck all.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As GDPR effect is growing day by day and a lot of companies are affected, we would like to present
ICO published the next chapter of the Anonymisation guidance draft : Anonymisation, pseudonymisation and privacy enhancing technologies guidance
How to ensure anonymisation is effective? The ICO is calling for views on its updated draft gui
A lot of companies are receiving SAR's almost every day. Not all of the SAR's are relevant and a lo