Skip to content
LegalVision UK

Five Data Protection Myths Your UK Company Should Avoid

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As a business owner, you must avoid breaching data protection rules or risk receiving a fine of up to £17.5m. This article aims to bust five data protection myths so your company does not unintentionally violate the GDPR.

1. The ICO Exists to Fine Companies

The UK Government started the ICO to enforce data protection laws against UK organisations. Most headlines concerning the ICO involve them dishing out hefty fines in response to GDPR violations.

However, unbeknownst to some, the ICO also helps UK businesses, most notably through helpful online guidance. For instance, the ICO website contains hundreds of articles and guides concerning the GDPR and valuable tips on complying with its rules.

In this way, the ICO aims to ensure that UK businesses have the tools they need to comply with the GDPR. Only when UK organisations fail to do so does the ICO move onto enforcement footing and consider the imposition of fines.

2. Antivirus Software Alone is Sufficient

The GDPR requires UK organisations to process and store ‘personal data’ safely and securely. So, having up-to-date antivirus software is one of several measures your company can take.

However, a UK business cannot safely protect personal information through antivirus software alone.  Instead, they will need to implement additional cybersecurity measures, such as:

  • banning staff from plugging electronic devices into your computer system;
  • ensuring your wi-fi network uses a secure encryption method;
  • providing regular training on cybersecurity and data protection threats; and
  • utilising two-factor authentication for your most important business accounts.

Unfortunately, we no longer live in a world where antivirus software will protect computer systems. A common analogy is that sole reliance on antivirus software is akin to having a secure front door but not locking the windows or back door.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

3. The ICO Only Fines Large Companies

The ICO only targeting larger UK companies is a common myth. Rather, the ICO tends to base the size of a financial penalty on the size of the GDPR violation rather than the organisation’s size.

Let us consider a quick example of two GDPR violations by two companies.

  1. A large company (with 300 employees) accidentally sends a group email to all its clients without hiding the other recipients. This means that their clients know the email address of different clients. However, they leaked no further information other than email addresses.
  2. A small financial advisory company (with five staff members) mistakenly sent an email containing the bank details of 50 individuals to an external email address, putting those clients at risk of sensitive data loss and bank fraud.

Naturally, the ICO will likely provide a much larger fine to the smaller company because its mistake has exposed dozens of individuals to the risk of identity theft and bank fraud.

4. GDPR-Compliant Policies Alone Are Sufficient

Having GDPR-compliant policies is an excellent idea, particularly when drafted by an expert lawyer.  However, UK organisations are responsible for ensuring parties follow the procedures.

In this way, a UK business will be in trouble if it has a privacy policy stating that staff members will not use their personal mobiles to call clients, but they do so regardless.

Many UK companies have encountered problems, despite having appropriate policy wording, as they fail to enforce them. This is because it shows the ICO that the policy is practically worthless and does not constitute evidence of mitigation.

5. A Good Lawyer Can Do Away With an ICO Fine 

Most data protection lawyers will preach one vital ethos: ‘prevention rather than cure’. This is crucial within data protection matters because the ICO is strict on UK businesses that breach the GDPR.

Whilst the ICO can impose financial penalties for countless violations, some of the most common examples include:

  • suffering an avoidable cyber intrusion resulting in the theft of personal information;
  • disclosure of personal data to third parties without prior consent or lawful basis;
  • failure to provide personal information in response to a valid Subject Access Request; or
  • theft of personal data by an employee or individual on your premises due to a lack of physical security measures.

Whilst a lawyer may be able to identify and plead mitigating circumstances to the ICO, they are unlikely to avoid the imposition of massive fines.

Key Takeaways

Many UK business owners obtain expert legal advice to sort the facts from the fiction regarding GDPR rules. This can help ensure that UK businesses avoid accidentally breaching the GDPR in reliance on data protection myths. Another way to guard against GDPR mistakes is by holding an annual data protection audit, which is becoming increasingly popular.

If you need help with data protection law compliance, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

What happens if my business cannot afford an ICO fine?

An ICO fine is the same as any other invoice or legal demand. So, if your business cannot pay it, it risks enforcement action against it or the threat of winding up proceedings.

Will the GDPR survive Brexit?

This is a common question because the GDPR derives from EU law. However, the UK Government have made clear its intention to keep the GDPR in place.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

Could Brexit Lead to the Scrapping of the GDPR and it No Longer Applying to My UK Business?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards