Already a customer?
Log a ticket
GDPR myths

Don’t Believe These GDPR Myths

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

The EU’s new data protection laws are on their way, but there are more than few a misunderstandings about what they are and who they’ll affect. TMB helps to clear up some of the confusion.

If you’ve been taking an interest in GDPR (General Data Protection Regulation), then you’ll know the deadline for compliance isn’t too far away. But even if you feel like you’ve got it sussed, you might have been misled by some of the GDPR myths and misconceptions that have been floating around about this major piece of legislation.

That’s not a position you’ll want to remain in, considering that fines for breaking the rules could be up to 4% of annual turnover.

And, of course, if you know nothing about GDPR at all, then it’s even more vital for you to start taking an interest. It is, after all, the future of your business that’s at stake.

There’s Going To Be A Grace Period

Calendar being marked - GDPR
The date of the deadline is 25th May 2018, but GDPR became law in 2016.

Surely the EU and the British government wouldn’t just dump this new legislation on us without some kind of grace period, right?

The good news is no, they wouldn’t. The bad news is that you’re already in it. GDPR actually came into force on 14th April 2016, so we’ve already had over a year and a half to prepare. When the deadline rolls around on 25th May 2018, that’s it – you have to be ready.

GDPR Doesn’t Apply To Businesses With Fewer Than 250 Employee

One of the most widespread bits of misinformation about GDPR, there is a whiff of truth to this. There are a couple of limited exemptions for organisations with fewer than 250 employees, but they only apply in certain circumstances, and even then only in relation to how data processing activities are recorded.

If you’d like to read the rule in full, you can find it in point five of article 30 of the legislation. If, however, the idea of wading through paragraphs of legalese leaves you cold (like it does most people), allow us to summarise.

Under GDPR, you have to keep a record of your data processing activities, including details about the data controller, your reason for processing the data, a description of what it includes, how long it will be kept and so on.

If you have fewer than 250 employees, though, you might not have to do this. However, that’s only true if the processing is occasional, doesn’t put the data subject’s rights or freedoms at risk and doesn’t include special category content (like racial, political or genetic information) or data related to criminal convictions or offences.

In short, even if some data does qualify for these exemptions, you’ll still have to comply with practically every other aspect of GDPR.

Everyone Needs To Have A Data Protection Officer

Contrary to what some people believe, a data protection officer (DPO) is not necessarily compulsory. According to the Federation of Small Businesses, “The designation of a DPO is not mandated according to company size, but rather the type of data processing.”

For example, any organisation, regardless of size, that is a public authority must have a DPO. Also, if data is processed regularly on a large scale or if special category data is included, then a DPO will likely be necessary.

Ultimately, you may need to consult a legal expert to make the right decision here, but there’s every chance you won’t need to a hire someone for this position. You might, however, need to outsource the job to an external supplier.

Brexit Means GDPR Doesn’t Matter

GDPR and Brexit flags
The UK’s exit from the EU won’t make a difference to GDPR

As we said in a previous blog post, Brexit means very little for the future of GDPR. Going through parliament right now is the Data Protection Bill, which will eventually replace GDPR when Britain leaves the EU. What this does, essentially, is to transpose GDPR to UK law. There are a few small differences, but the nuts and bolts are basically the same. That means all businesses in the UK will have to comply – or face the same kind of fines as everyone else in Europe.

Still confused about GDPR? TMB is planning to hold a series of free GDPR seminars early next year, explaining the essentials. To register your interest, drop us a line at

In the meantime, if you’d like assistance with getting GDPR compliant, fill out our contact form or give us a call on 0333 900 9050.

Leave a Comment

Your email address will not be published. Required fields are marked *


TMB Privacy Policy

Why do we hold personal data?

Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

What data do we keep?
Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

How is your data stored?

As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: Microsoft’s privacy policy for Office 365 is here: Mailchimp’s policy is here:

How long do we keep your data?

We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

Access to your information

The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

Unsubscribing and deletion

Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

Your right to complain

If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

Website analytics

Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.


Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Data controllers and processors

TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..