Demystifying the most common GDPR myths

The new European General Data Protection Regulation (GDPR) sets new obligations and responsibilities for Data Controllers and Data Processors. The GDPR also sets new powers for the national Data Protection Authorities (DPA). And, yes, non-compliance with GDPR is associated with significant fines. However, the unfortunate truth is that not all info being shared about GDPR is factual. Being a new topic, there are lot of myths that surround GDPR. Let us demystify some of the common myths that surround GDPR.

Myth 1: GDPR is only applicable in the EU

This is one of the most common myths, that GDPR is an EU law and it applies to EU companies only. The fact is that GDPR is applicable to all companies that process the personal data of EU residents. This is true irrespective of where the company is located. So, lots of non-European companies, especially those in the Americas and Asia, will fall in the scope of GDPR and will need to comply with it.

Myth 2: Consent is the only way to process personal data

This is also a common myth, that consent is required for all processing of personal data. The fact is that consent is one of the six legitimate purposes, and not the only option to process personal data. And, in my view, this should not be the starting point when companies consider the processing of personal data. I say this because consent can be withdrawn by the data subject. And, if withdrawn, the controller and processor must stop processing that personal data. So, the choice to use consent as the legitimate purpose should be evaluated carefully.

See also: Is consent needed? Six legal bases to process data according to GDPR.

Myth 3: GDPR is all about fines

This is another common myth, that GDPR is all about fines. The fact remains that GDPR is about putting the data subject first. Yes, non-compliance with GDPR can invite hefty fines, but these are likely to be as a last resort when the warning(s) from the Supervisory Authority have not been complied with. The objective of the GDPR is to make organisations follow the principles of accountability and transparency, rather than Supervisory Authority having to ask for reports and documents.

See also: A summary of 10 key GDPR requirements.

Myth 4: All organisations need a Data Protection Officer

This is another common myth, that each and every organisation needs to appoint a Data Protection Officer (DPO). The fact is that a DPO should be assigned if your organisation is a public authority, or if it engages in large-scale processing of personal or sensitive data. And, if your organisation does not meet these criteria, you do not need to assign a DPO. So, this is a decision to be made by the management of your company when considering the requirements of GDPR and the need for the DPO role.

See also: The role of the DPO in light of the General Data Protection Regulation.

Conclusion

Be aware that there are a lot of myths surrounding EU GDPR. And, focus on finding facts so that you know what is a myth and what is a fact. Separating myths from facts will allow you to take an objective and rational view of GDPR requirements based on key GDPR principles. And, this will allow you to take the right steps in your implementation of GDPR.

Use this free Checklist of Mandatory Documentation Required by EU GDPR to help you structure your EU GDPR documentation properly.

Advisera Punit Bhatia

Punit Bhatia

Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. He has experience on both sides of the table in a variety of industries, serving as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises.
Read more articles by Punit Bhatia