7 Misconceptions about GDPR You Need to Understand Now

The General Data Protection Regulation (GDPR) of the European Union whose aim is to protect the personal data of EU residents comes with strict guidelines and requirements for any organization that collects and processes personal information of EU residents. The GDPR which will become effective as from 25th of May 2018 has been described as the best data privacy regulation in two decades.

The GDPR demands the highest level of compliance from affected companies or otherwise face the consequences of paying fines which could be as high as €20 million or 4% of the organization’s total worldwide turnover (whichever is greater).

However, a lot of companies do not fully understand what their obligations are under the GDPR or are misinterpreting the demands of the law. Here are seven misconceptions organizations have about GDPR and the right information they must know.

Misconception #1:
The GDPR affects only companies within the EU.

This is an erroneous understanding of the GDPR regulations. The GDPR applies to every company handling or processing personal data of EU residents whether the company operates within the EU or not. That is the geographical location of the company notwithstanding if it collects or processes the personal data of EU citizens, it must comply with the GDPR.

Misconception #2:
The GDPR rules are meant only for personal data that are private and sensitive.

The GDPR defines the personal data it protects. Personal data protected by the GDPR are not limited to date of birth, home address and government ID numbers but also include health and genetic data, biometric data, racial or ethnic data, location data and political opinions. This requires companies to put in place data security measures when handling and processing data that are sensitive.

Misconception #3:
It is easy to meet the GDPR notification requirements if a data breach occurs.

It is mandated by the GDPR that the appropriate supervisory authorities should be notified not later than 72 hours after an organization has become aware of a personal data breach. Though it may seem easy on paper to make the notifications, there are more to it, and it might take more than the stipulated 72 hours to get the supervisory authorities notified. To avoid any late hour rush, firms should have in place efficient to means to getting notifications across to the supervisory authorities.

Misconception #4:
Individuals whose data are breached should be informed.

It is part of the GDPR regulations that individuals whose information is breached should be notified if the data exposed would pose a severe risk to their rights and freedoms. However, it is not mandatory to inform the individual if the data breached are unintelligible to any unauthorized person such as data protected by encryption, if any risk to the data has been removed after the breach has occurred or if notifying the individual would not have a proportionate effect.

Misconception #5:
There are no legal consequences than fines.

Even though there are fines involved, supervisory authorities, as empowered by the GDPR, could take other legal actions such as sanctioning and filing a lawsuit against erring companies. Supervisory activities can impose measures that a company must comply with within the stipulated time and when this happens, it may be costlier than the fines.

Misconception #6:
GDPR adds more privacy rights.

GDPR has added more privacy rights that may not be available in previous regulatory frameworks which organizations not within EU may not be accustomed to. The rights include:

  • The right of access: Individuals must be allowed to access information about them by the organizations.
  • The right of rectification: Organizations must rectify any incorrect information about individuals upon demand from them
  • Right to be forgotten: An organization is under obligation to erase the personal data of any individual who demands it to be deleted.
  • Right to the restriction of processing: Under certain conditions, individuals have the right to restrict the processing of their data.
  • Right to data portability: Individuals have the right to port their data by requesting it from one company and transfer it to another without being hindered.
  • Right to object: Individuals have the right to object to any organization process their data. Directly to not be subject to automated decision making and profiling.


Misconception #7:
GDPR privacy rights affect all sensitive information

GDPR permits the use of specific personal data, though this may slightly affect the enforcement of the GDPR on businesses, and this has created the impression that data such as pseudonymous data, anonymous data that are not traceable to any user, data used for legal purposes and encrypted data are allowed to be used by organizations.

It is evident that the GDPR will be misinterpreted and that is why this article comes handy as the deadline for the GDPR approaches. The advent of the GDPR offers more protection for individuals’ data on organizational systems.