Even now there are strange misconceptions around about General Data Protection Regulation (GDPR), according to Ian Cooley.
Ian was a speaker at the AAT annual conference, and is is Data Protection and Privacy Specialist at GDPR Advisors UK. Here’s what he tell us:
Myth 1: Brexit will put an end to GDPR
In short – no it won’t. GDPR is already written into British law, and the government has no plan to reverse that.
Myth 2: You’re either a data controller or a data processor
Actually, you can be both – particularly if you’re dealing with client’s personal data and their employees’ personal data, or that of their suppliers.
You would be the controller of the client’s data, and the processor of the payroll data – you’ll need a written agreement from the client to share that information with a third party.
‘It’s not uncommon for people to be both, but I don’t make too big a deal of it, because people struggle to get their head around whether they’re a controller or a processor,’ says Ian Cooley
‘To put it simply, a controller decides what’s collected and what happens to it, and are the organisation or person you believe you have the relationship with. And it would be your reputation on the line if your processors mess up with the data you’re controlling.’
Myth 3: Business data is included under GDPR
GDPR only covers personal data – invoices, purchase orders and similar documents are not covered, as long as these only include information about the business.
There are some grey areas however: what if the business address is also a personal address? What if the name of an individual is in the name of the business.
‘With partnerships, it can be tricky to spot whether there is any limited liability. If there is no limited liability associated with them, then they are individuals… It does put a bit of onus on the person using the information to do a bit of research into who they are interacting with. That’s moving things on quite a long way from where it is at the moment.’
Myth 4: Sole traders don’t have to worry about GDPR
Sole traders who handle personal data do indeed have to worry about GDPR – there is no size limit to the new regulations.
‘I’ve heard people say “we’ve got less than 250 employees, so it doesn’t apply to us”. We saw a misconception peddled by a lawyer that there’s a small business exemption under the Data Protection Act that will continue under GDPR – there’s never been a small business exemption.’
Some confusion has arisen because not all businesses need to register with the ICO, but all have to be compliant with the regulations.
‘There’s an online checklist that you can do on the Information Commissioner’s website to determine whether you need to register with the ICO.
Some of those points need an A4 sheet to explain what’s covered under one term. So there needs to be a bit of fine tuning around it. But in reality, unless it’s a personal Christmas card list, you need to comply with it, even if you don’t register.’
Myth 5: Compliance is a matter of checking a few boxes
Actually GDPR is much more complicated than that. There are a lot of elements that won’t be clear until tested in court. ‘It’s not possible to be 100% compliant because you don’t know the rules are yet,’ says Cooley. ‘But you can’t tick a few boxes and become compliant in a week.
‘It’s not about the certificate on the wall – it’s how you do business. It’s about treating your clients’ personal data with the care and respect it deserves. That’s the key to it.’
Mark Rowland is a journalist and former editor of Accounting Technician and 20 magazine.