By now we all have heard about GDPR and the fines it brings, people have more privacy and safety online.
But is it all true about what they say about GDPR? Or there is some information that is not quite true as they say?
We bring you in this article the top 5 GDPR myths we found to be the best ones.
Number 1: Only Europeans have to comply with the GDPR
This is one of the biggest GDPR myths ever! It also turns out to be a bit confusing for some people to realize who has to comply or not.
The truth is, that the GDPR applies to all companies in the world working with European citizens data information.
Either your company is in the US or in Asia if you work with Europeans data you must comply with the GDPR.
To avoid fines some US newspapers blocked websites on Europe.
Number 2: All organizations need a DPO
The DPO is an important part of a big company, but not necessary for all of them.
DPO should be assigned if your organization is a public authority, or if it engages in large-scale processing of personal or sensitive data.
If your company is smaller or don’t process this kind of data, you should always be careful with the data your company holds but a DPO it’s not entirely necessary.
Number 3: GDPR biggest threat to companies is massive fines
The GDPR is not about fines, it is about protecting the data of the users online and in the real world.
It’s sure that there is legislation about 20M/10M fines or 2% to 4% of the annual revenue, but that’s not the focus of the law.
This is directed to enforce the law and make sure more companies respect it, comply with it and don’t mistreat users data abusively.
The big companies like Google and Facebook are the ones who paid the highest fines by now.
Number 4: All personal data breaches will need to be reported to the responsible authority
It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms. So, if there’s not a risk to people’s rights and freedoms from the breach, you don’t need to report it.
Do you know how to report a data breach if it happens?
Number 5: When relying on consent to process personal data, consent must be explicit.
The consent must be “unambiguous”, not “explicit” (Art 4(11)). Explicit consent is required only for processing sensitive personal data – in this context, something like “opt-in” will do the trick (Art 9(2)).