Skip to content

Four GDPR Myths for Your Company to Avoid in England

Table of Contents

As a business owner, you will undoubtedly have read many articles about the impact of the General Data Protection Regulation (GDPR) on businesses in the UK. The GDPR made waves upon its introduction several years ago, with one of the most shocking revelations being the maximum fine level of £17.5m against companies in the UK. The Government set up the Information Commissioner’s Office (ICO) to investigate allegations of GDPR breaches and, if necessary, issue those organisations with financial penalties. This article will therefore explore four common GDPR myths your company should avoid to reduce the risk of potential fines from the ICO in the UK. 

Why Does the GDPR Exist?

The GDPR was introduced in England further to the United Kingdom’s EU membership. It was a piece of European legislation that member states had no choice but to adopt. As of 2022, there is no indication that the Government will repeal or amend the GDPR, so it looks like its rules are here to stay. With this in mind, let us explore four GDPR myths your business should be aware of.

1. A Template Privacy Policy on My Website is Sufficient

It is a common myth that publishing a template Privacy Policy online ticks the ‘GDPR box’.  However, this is very far from the truth.  

Instead, the GPDR imposes several essential duties on your business, and the requirement for a Privacy Policy is just one of many. Your company must also: 

  • report personal data breaches to the ICO;
  • handle Subject Access Requests appropriately; and 
  • safely store personal information.

Additionally, the GDPR requires your company to tailor documents to fit your business. So, suppose a retail company uses a Privacy Policy designed for a law firm. In that case, it is unlikely to be held as appropriate by the ICO (and could constitute a GDPR violation).

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. The ICO is Unlikely to Fine Me

This is a common misconception. On the contrary, the ICO will set a precedent by fining companies for personal data breaches. The ICO sometimes publishes its reasoning for a fine on its website. On more than one occasion, it mentions that the penalty level is set as a deterrent and warning sign for businesses in England. Accordingly, the ICO will fine non-compliant businesses in the UK. 

3. The GDPR Only Relates to Written Information

When some business owners think of the GDPR, they think of printed documents, digital Word documents, and Excel spreadsheets. Some miss the fact that the GDPR also relates to audio and visual information as well.

For example, our data protection rules include limits on the fair use of CCTV.  So, not only should you provide signage warning of CCTV, but your company must also: 

  • securely store all video recordings;
  • carry out ongoing data protection impact assessments; and
  • only hold the video data for as long as necessary.  

A breach of these rules could constitute a breach of the GDPR in the ICO’s eyes.

4. The ICO Only Issues Huge Fines to Large Companies

The ICO has a track record of enforcing significant fines in response to severe data breaches.  For example, combining the five largest ICO fines over the past few years results in approximately £50m.

The widespread myth is that the ICO will not deliver large fines to small businesses.  However, this is not true. The ICO primarily takes the size of the data breach (and the number of individuals affected) into account rather than the organisation’s size.

So, for example, a large transport company could suffer a cyber attack that causes the personal details of 500 customers to get into the hands of cybercriminals. A small tech company with only five employees could accidentally disclose sensitive information about 6,000 individuals online.  The fact the tech company is smaller is irrelevant. Their fine is likely to be substantially higher due to the number of individuals the breach impacts. Furthermore, the breach was their own error, rather than the subject of a cyber attack.

Key Takeaways

The GDPR is far from a simple beast, so many business owners use lawyers and data protection professionals to ensure their organisations achieve good GDPR compliance. In whichever case, your organisation can at least avoid some of the biggest data protection beartraps by taking note of the four above-mentioned common myths.

If you need help utilising anonymous data, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

What is the primary purpose of the GDPR?

The GDPR has many purposes, but one of the main ones is protecting sensitive personal data to safeguard EU citizens (and UK citizens) from harm. This continues to be the case following Brexit as laws passed before Brexit remain equally binding now.

What happens if a company cannot afford an ICO fine?

Your business would be in the same scenario it would be in if it could not pay a fine or invoice from any other organisation. Ultimately, non-payment of the fine would likely end up in legal proceedings to recover the debt.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards