GDPR: Myths & Mistakes One Year On


This article is part of the Greater Birmingham Chambers of Commerce’s Raise the BAR (Business Adaptability & Resilience) Campaign, sponsored by Western Union Business Solutions. For more campaign content click here. This campaign provides Chamber members with a platform to share learning and inspiration on this agenda. All views and opinions expressed below are those of the author only. 

By Clare Perrett, Customer Data Manager, Wesleyan

The Business Community response to GDPR:

I have noticed a lot of marketing statements have changed to incorporate GDPR. However, it still feels like there is a lack of awareness amongst some business owners but much more awareness from individuals who now quote their ‘rights’ when it comes to data and how it is being used, although as the rules are in some ways open to interpretation this can lead to frustration from businesses and individuals.

The no 1 mistake companies make on preventing data breaches:

Companies need to make sure that they know what data they have, how and who is using it and that their privacy statement is open, honest and uses clear language. Without this companies are likely to breach GDPR. If there is a breach, report it straight away, don’t try and hide it and make sure you learn from it

Top advice for companies trying to navigate the post-GDPR framework of digital consumer rights:

Two pieces of advice – the first is common sense - put yourself in the position of the customer; if that was your data how would you feel? Second, if in doubt speak to the ICO or DMA, they have teams that can advise you and help you navigate the relevant parts of the regulation.

The GDPR Myths:

In my opinion, the biggest myth is still that GDPR was a new thing - it wasn’t, it was an update to the previous data protection regulation to reflect changes in how data is now being used. The second myth is that consent is required for all aspects of data; this isn’t the case. There are six lawful means of processing, of which consent is one. Businesses need to consider why they are processing/storing the data and if it is necessary. If that is considered, documented and in the privacy statement then businesses will be in a strong position with regards to GDPR

The Wesleyan Approach to GDPR:

The security and protection of customer data has always been a priority for us as we want to maintain the trust our customers have in us. Prior to GDPR we had a rigorous strategy around customer data. Since GDPR, we have revisited all of our policies and been careful to ensure we don’t hold onto data any longer than necessary. If we are required to keep customer data for regulatory reasons, we anonymise it if appropriate.