GDPR – Five Myths Debunked

GDPR has had a profound impact on the business landscape across the globe since it came into effect on May 25th, 2018 as companies scramble to review and improve their data protection and data privacy practices to achieve GDPR compliance. Leading up to and in the time since GDPR went into effect, misinformation and myths have swirled about the internet regarding everything from who is in scope to the penalties an organization could face.

Writers, bloggers, and data protection experts have brought discussions to public forums, published articles, and gave speeches on the many important aspects of GDPR. Overall, they provide valuable insight and facts about the new regulation. However, many have fallen short in conveying the complexity of GDPR, and shared incorrect interpretations of this wide-reaching regulation.

This misinformation has taken root as a collection of myths that are commonly disseminated across industries. In this overview, we'll address the top five myths surrounding GDPR.

Myth #1 

My company doesn’t operate in the EU nor do we have European employees, GDPR doesn’t apply to me.


GDPR was written to have a wide scope and to provide EU data subjects (Note: Not only EU citizens, but any person in the EU) with rights that protect their data, even if the organization collecting the data is not in the EU and they do not have any EU employees.

Some common ways GDPR can still apply to an organization:

  • Offers goods or services to EU data subjects
  • Collects personal information from EU data subjects via a web form or corporate website
  • Monitors or tracks online behavior of EU data subjects
  • Solicit or receive job applications from candidates in the EU

Myth #2

Avoiding the threat of fines is the only reason to comply with GDPR.


The supervisory authorities tasked with enforcing GDPR fines have historically preferred guiding, advising, and educating organizations on how to comply instead of taking a blunt approach of handing out massive fines for every incident of non-compliance. Fines, although costly, are only temporary reprimands to incentivize compliance. 

An important view to adopt is that GDPR has only begun enforcing practices that companies should already have in place. The safety and privacy of consumer data should be a top priority for every organization and building trust through the ethical and transparent use of data can have long-lasting positive impacts for a company. Taking these steps can prevent potential damage to brand identity, loss of customer loyalty, and other major issues that arise from mishandling personal information. Additionally, complying with GDPR can help prepare organizations for future laws that are on the horizon (For example, the California Consumer Privacy Act).

Myth #3

GDPR requires you to have consent in order to process personal information.


Without a doubt GDPR has raised the standard for obtaining consent. Pre-ticked boxes, gated content, and other old methods of passively gaining consent or requiring consumers provide personal information are no longer allowed as they were in the past. 
However, consent is only one of six lawful bases for collection of personal information. Depending on the case, another legal basis may be more suitable for use than consent.

Myth #4

My company has validated that we’re not exposed to GDPR therefore we shouldn’t overhaul our data privacy and security programs.


GDPR is a landmark regulation that has caused many countries around the world to explore similar data protection and data privacy regulations. Working towards GDPR compliance can help companies take the necessary steps to “future proof” themselves against regulations that are expected to be modeled off GDPR. For example, the California Consumer Privacy Act which goes into effect in 2020 has many similarities to GDPR, such as data subject rights, and may impact many companies not exposed to GDPR.

Myth #5 

GDPR is mainly about preventing cybercrime and hacking.


GDPR is designed with both data protection and data privacy in mind. There are a handful of articles in GDPR that relate to data breaches and technical measures for protecting data from criminals, but the scope is much wider than just data protection. 
Data subject rights, consent, partner contracts, international transfers, documentation, procedures, and privacy by design are just some of the many facets that GDPR emphasizes. 


Have more questions about GDPR? We can help. 

PCG provides you with the expertise needed to ensure that your organization's data governance practices and data management strategies are GDPR compliant. Click here to read more about our GDPR services or contact us today at 1.800.731.7153 to schedule a complimentary GDPR discovery session.

Project Consulting Group 104 Main St N Ste 100
Stillwater, MN 55082