Today we are demystifying the biggest GDPR myths. By now we all have heard about the GDPR and its fines. People have more privacy and safety online.
But is it all true what they say about the GDPR?
Here is a list of the top 5 GDPR myths.
1: Only Europeans have to comply with the GDPR
This is one of the biggest GDPR myths ever! It also turns out to be a bit confusing for some people to realize who has to comply and who doesn’t.
The truth is, that the GDPR applies to all companies in the world working with EU citizens’ data.
It doesn’t matter if your company is located in the US or China, if you work with Europeans’ data, you must comply with the GDPR.
To avoid fines some US newspapers even blocked websites in Europe.
2: All organizations need a DPO
The DPO is an important part of a big company, but not necessary for all businesses.
Your company needs a DPO if it’s a public authority, or if it engages in large-scale processing of personal or sensitive data.
If your business is smaller or doesn’t process this kind of data, you should still be careful with the data your company holds, but a DPO isn’t necessary.
3: Fines are the GDPR’s biggest threat to companies
The GDPR is not about fines, it’s about protecting users’ data online and in the “real world”.
Sure, there is legislation regarding 20M/10M fines, but that’s not the focus of the law.
Its goal is to enforce the law and make sure more companies respect it, comply with it and don’t abuse users’ data.
Big companies like Google and Facebook have paid the highest fines by now.
4: All personal data breaches will need to be reported to the responsible authority
It will be mandatory to report a personal data breach under the GDPR, but only if it’s likely to risk people’s rights and freedoms. So, if that isn’t the case, you don’t need to report it.
Do you know how to report a data breach if it happens?
5: When relying on consent to process personal data, consent must be explicit.
Consent must be “unambiguous”, not “explicit” (Art 4(11)). Explicit consent is required only in the processing of sensitive personal data – in this context, something like “opt-in” will do the trick (Art 9(2)).