7 GDPR myths: separating facts from fiction

GDPR’s entry into force generated a lot of buzz about data protection and privacy rights, but also a lot of confusion on the real requirements for GDPR compliance. Stay with us while we dispel the most common misconceptions about the new regulation.

Subscribe to our blog

For the past year, thousands of articles have been written and shared about the new privacy rights and the penalties up to €20m that the companies might be risking. But as we reach the final countdown, the General Data Protection Regulation (GDPR) is still a mysterious field for a significant percentage of businesses and stakeholders. As we partnered with clients through their GDPR compliance journeys we too often came across some misconceptions about the regulation. To help you understand the realities of the new data protection laws, in this article we debunk the most popular GDPR myths.

Myth 1. The May ‘deadline’

With the enforcement date looming, many companies will rush to the finish line to comply. Others are just panicking for not being ready on time. The truth is, more than a deadline, the 25th May marks a new beginning. The complexity and scope of the organizational and cultural changes involved makes it almost impossible to have everything ready by the 25th. Moreover, being compliant is not a one-time fix and not something organizations will be able to forget after ticking all the boxes in their GDPR compliance checklist.

Myth 2. The European boundaries

Since the GDPR focuses exclusively on the personal data of EU citizens, some companies have been led to believe that if they operate outside Europe, they are not subject to the new regulation. Not true! While it meant to protect the Europeans’ rights to privacy, GDPR has an “extraterritorial” reach. Any organization processing or storing the personal data of EU citizens will be under its scope, irrespective of where they are based and whether they have an European subsidiary or office or not. In other words, even US-based organizations or those based in Hong Kong, Singapore or Middle East countries in the Middle East, might need to put GDPR in their priority list.

Myth 3. The mandatory consent

This has probably been the most propagated myth about GDPR, especially amongst marketers. Obtaining each person’s expressed permission to process their personal data still seems the only way to comply for some. The truth? Although the GDPR has raised the bar high when it comes to consent, it still enumerates a series of alternative legal grounds for processing personal data: legitimate or public interest, contractual necessity, legal obligations and vital interests. If the relevance of marketing messages and accurate targeting are ensured, most of the marketing activities can continue under the ground of legitimate interest. So, while a clear and unequivocal consent is a way to ensure compliance, it is just one of the multiple ways.

Myth 4: The pecuniary fines

One of the biggest red flags raised regarding GDPR was related to the €20m or 4% of worldwide annual turnover penalties. Without underestimating the power of these fines, we believe non-compliance can lead to other negative financial outcomes. For example, a data breach episode can severely damage an organization’s credibility, hence leading to loss of clients which will end up having a significant negative impact on the final revenue.

Myth 5. GDPR is just a legal thing

It’s likely that the legal departments will be the primary drivers of GDPR compliance in most companies due to the legal nature of concepts such as consent, access and data portability. However, it cannot be treated as a mere legal concern when considering the extent of its impact across IT, HR, finance and marketing, just to name a few. GDPR cannot be the responsibility of a single department but a combined strategy that will only succeed if everyone cooperates and inculcates the transparency spirit across their day-to-day business.

Myth 6: Compliance-in-a-box

Many companies might offer quick and easy “GDPR fixes” but believe me, there is no magic product that will transform your organization into being GDPR ready overnight. The complexity of personal data links and the information workflows in any business makes it impossible to find a one-size-fits-all solution that will automatically make all your processes compliant.  While you can get external help for your compliance journey, it will only be efficient if it is tailored to your business specificities and needs.

Myth 7. The Data Protection Officer

This new figure “in charge” introduced by the GDPR has also sparked some misconceptions. The most common one is that every organization needs to appoint their own Data Protection Officer (DPO). And what does GDPR says about this? A DPO is not mandatory unless your organization is a public authority, or if it engages in large-scale processing of personal or sensitive data.

Summing it all up, it is clear that GDPR is starting a compliance revolution for data protection. However, the current hype has not been helping to a smooth transition to the post-GDPR world. Most of the GDPR principles are reasonable expectations when it comes to managing personal information in today’s growing digital world. But if you are finding it all a little bit daunting, do not hesitate to search for help. With the right resources you can implement a holistic compliance program across each department of your organization.

Published on    Last updated on 01/08/2018


About the author

Mark Evenepoel is the CEO of Amplexor, headquartered in Luxembourg. He joined euroscript 20 years ago, which was renamed to Amplexor in 2015. Mark previously held senior positions in software development, finance and accounting, business consulting and sales management in the information and communications technology industries. He has been developing and materializing Amplexor’s vision and expanding its presence around the globe, combining acquisitions with organic ventures.