Five GDPR myths debunked

The General Data Protection Regulation (GDPR) comes into effect in May 2018. Sam Reed busts some popular myths.

<< back Page 2 of 2

Myth - Everyone needs to appoint a Data Protection Officer 


There is also some concern that every organisation now has to appoint a data protection officer. The DPO is meant to be the data protection expert in an organisation. Although many organisations will need a DPO, including small businesses, everyone doesn’t need to appoint one. 

Under GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data, or data relating to criminal convictions and offences.

It is important to make sure you fully understand the role of a DPO before appointing one because the position needs to meet particular requirements laid out in the law. For example, the DPO needs to be independent and the business must provide them with the resources to complete their work. 

Myth - It is going to put an unfair burden on businesses 


There are some who feel GDPR is putting undue pressure on businesses to change their working practices, or risk a hefty fine. 

However, the ICO has pointed out that the new higher fines being quoted are the maximum allowed and will not be routine. They say fines will remain a last resort and will be issued proportionately. So, those concerned that the maximum fine of £17 million, or 4% of turnover, will be imposed simply to set an example early on need not worry. 

Rather than putting undue pressure on businesses, I believe the new legislation offers the ideal opportunity to review your data and ensure it is up to date. So, in the end, you may end up with less data but it will be of a better quality. 

It is also a good opportunity to review your cyber security measures because new threats are constantly emerging and can affect business of all sizes. Some small businesses mistakenly believe they are unlikely to be targeted. 

However, according to the Federation of Self Employed and Small Businesses (FSB), cyber crime is one of the fastest growing risks to small businesses. An FSB report found that 19,000 cyber crimes are committed against small businesses in the UK every day. While a government report estimates that the average cost of a breach to a small business is £3,100. 

Making sure you have robust cyber security measures in place is wise, regardless of the legislation. The National Cyber Security Centre gives 10 steps you can take to protect yourself. 

Rather than hampering the ability of businesses to use data, GDPR may make people more willing to share their data because of the new security standards. ICO research shows that people “would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly.”


With roughly six months to go before GDPR comes into effect, there is no reason to wait before you review your data practices. The ICO has laid out 12 steps you can take now to prepare. Using this simple guide is a good way to start getting ready for GDPR but be sure to get expert legal advice on anything you are unclear about.

Sam Reed is the Chief Technology Officer at Air IT -





<< back Page 2 of 2