GDPR Misconceptions - I just need to buy expensive software and we’ll be covered

There is a mistaken belief that being GDPR ready is as simple as buying expensive compliance or security software to help you manage and safeguard all your data. This belief is false for two important reasons.

Completely unnecessary...

Firstly, for many organisations, it’s completely unnecessary. Article 25 of the GDPR sets out its requirements for data protection by design and default. It stipulates that controllers should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks” posed to individuals and implement appropriate organisational and technical measures to protect their privacy.

Therefore, if you’re a small organisation, handling small amounts of low-risk data (names and email addresses only, for example) then buying the largest, and most expensive software is likely to be a huge waste of money. The threat to people’s rights and freedoms is minimal and can be secured by simpler, cheaper methods.

It doesn't go far enough...

Secondly, for organisations who do need this kind of software, simply having it doesn’t go far enough. Imagine having the latest, most advanced home security system installed in your house. It’s got motion sensors and night vision cameras to catch intruders, it’s got a silent alarm which alerts both you and the police to an invasion, it’s got lasers because lasers are cool, and it’s all linked up to a smart hub which can recognise family members and be controlled from a mobile phone. This incredible home security system is no use if the person who sets it up and controls it has no idea what they’re doing.

Any software you install is nothing more than a tool, and like any tool, you need to learn how to use it. Using it incorrectly still leaves your data vulnerable to a breach. You’ll need to make sure that everyone knows how to use it safely and effectively. This means training will be needed, as well as updated policies and procedures to help maintain data security.

As well as this, remember that not all personal data will be electronic. Hand-written notes can’t be protected by security programs or monitored by compliance software. You’ll need to encourage a general workplace ethic of data privacy. Hard-copies should be organised efficiently, stored safely and be destroyed properly – and don’t write passwords on post-it notes and stick them to your computer screen.

I think the reason that this particular myth exists is that many people believe that the GDPR is all about data security, and so simply having the best security and compliance software tools will show that you’re complying. However, whilst security is very important, it isn’t the main goal of the GDPR. The whole point of the GDPR, its raison dêtre, is to give power back to the people; to give data subjects much more control over their data, who has access to it, and what they can do with it. Part
of doing this is securing data so it isn’t stolen, lost, or accessed by people who shouldn’t see it.

GDPR eLearning - a much cheaper alternative! 

Want to try our eLearning before you buy? No problem! You can get free trial access to our GDPR Essentials and GDPR for Management programmes whenever you want!