The GDPR: 10 Common Myths

10. January 2023

The GDPR resulted in the biggest shake up to the protection of personal data in decades. And right from the start, the framework fueled paranoia, confusion, and fear around how it works, what needs to be done, and the obligations organizations would now face (or not). Almost five years later, a number of common misconceptions continue to surround the regulation. Let’s take a look at ten of the most prevalent GDPR myths – and explain why that’s all they are.

Myth #1. GDPR only applies to European companies

GDPR is applicable to any company that collects, receives, and processes the data of EU citizens and residents. Any that offers goods or services to EU Data Subjects. And any that monitors their behavior. WHEREVER that company is based. In contrast, a European company that processes the data of US or Australian residents only would not have to comply with GDPR. So, it does not matter where the company is based. The question is, “whose data are you using?”

Myth #2. And it’s designed to protect all EU citizens, right?

Thinking the GDPR was passed to protect EU citizens is one of the GDPR myths. GDPR is specifically designed to protect the personal information of EU citizens and residents – yet it only applies to EU citizens and residents inside the EU. So, the question is whether the individual is in the EU, not whether he or she is an EU citizen.

Myth #3. Okay – but isn’t it true that data centers need to be in the EU?

Again, this is not true. The GDPR stipulates that all data collected on citizens must be stored in the EU, or within a jurisdiction that guarantees similar levels of protection.

Myth #4. I heard the GDPR is designed to make money by fining companies.

This is more of a conspiracy theory than one of the GDPR myths. The GDPR was developed to ‘harmonize data privacy laws across all of its member countries, as well as provide greater protection and rights to individuals.’ Yes – a hefty sum of fines have been levied over the years, but usually only for serious breaches of privacy standards. The fact remains that GDPR is about putting the data subject first.

Myth #5. It makes organizations appoint a Data Protection Officer though.

Organizations only need to assign a DPO if they are a public authority, engage in large-scale systematic monitoring, or conduct the large-scale processing of personal or sensitive data. If you don’t fall into one of these categories, you are categorically NOT obliged to appoint a DPO. Having said that, the practice is encouraged in the interests of best practice.

Myth #6. Not to worry: I run a small business, so I’m exempt

Think again. The GDPR applies to businesses of any size, regardless of the number of employees. Recital 13 specifically states: “In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises.”

There is some good news: small companies pay a much lower registration fee.

Myth #7. Do I really need to take consent for every activity?

Nope. Many companies see consent at the heart of the GDPR and believe that no consent equals no data processing. But if a clear implied contract exists, you don’t require any explicit consent, except for a few areas that require open approval.

In reality, the GDPR provides six lawful bases for processing of which consent is only one. The others include contract (where data processing is necessary to complete a contract); legal obligation (where data processing is necessary to comply with the law); vital interests (the processing is necessary to protect someone’s life); public task (the processing is necessary to perform a task in the public interest); and legitimate interests (the processing is necessary for your legitimate interests or the legitimate interests of a third party).

If you do rely on consent as your primary lawful basis, make sure that it meets GDPR standards: specific, detailed, properly documented, and easily withdrawn.

Myth #8: I think it’s enough to publish a privacy policy on our website.

It’s a start, but it’s nowhere near enough. You can go to any one of numerous websites to download a customizable ‘GDPR-compliant’ template of privacy policies. Yet drafting a privacy policy is just one step towards GDPR compliance. You may also have to install a cookie pop-up banner, conduct data mapping, appoint a data protection officer, establish a process for notifying data protection authorities in the case of a data breach, implement data processing agreements with data processors, and make sure data processors in non-EU countries offer adequate levels of data protection. 

Myth #9. The GDPR supersedes all other regulations.

One of the goals of the GDPR was to create a harmonized EU legal framework that will apply directly in all EU countries. Yet despite its length and complexity, complying with the GDPR does not mean your organization automatically complies with all EU privacy laws. You also need to take account of complementary laws such as the ePrivacy Directive and the Network and Information Systems Directive. Remember also that the GDPR is, or can be, modified by each EU Member State. So, you must also factor in any supplemental rules adopted by individual countries.

Myth #10. As a UK company, Brexit means we no longer have to bother with GDPR.

Yes and no. The GDPR is retained in domestic law as the UK GDPR, although the UK retains the independence to keep the framework under review. The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation) apply if they process only domestic personal data. The EU GDPR still applies if UK companies process the personal data of, and offer goods and services to, or monitor the behavior of, EU residents.

Separate fact from fiction

These are just a few of the numerous GDPR myths and half-truths surrounding the GDPR. Be aware, however, that the regulation continues to adapt and change over time, so it’s essential to separate facts from fiction and stay on top of the steps you need to take to ensure compliance.

If you’d like to learn more about the GDPR and data protection regulations around the world, check out this whitepaper for more information.

Caspar Miller
Head of Regulatory