You’ve no doubt heard some of the many GDPR myths – fines to bankrupt you, consent required for all manner of data processing activities, the death of email marketing – but the reality is, the GDPR is a good thing for business. We debunk the nine most common GDPR myths below.
You always require explicit consent
Whilst you do need explicit consent for certain activities, such as marketing or tracking via third-party companies, many data storage and processing activities will fall under one of the six lawful bases of processing, such as legitimate interests or contractual obligations.
Find out more about the six lawful bases for processing.
It only applies to companies in the EU
The GDPR protects the data of EU residents and applies to any organisation that processes or stores their data. This means that even companies based outside of the EU could face legal action if they fail to follow the regulation of the GDPR when processing or storing the personal data of EU residents.
You’ll face fines that could bankrupt you if you make a mistake
The GDPR has indeed given Data Protection Authorities the power to apply fines of 4% a company’s annual turnover or €20 million, whichever is greater. However, these huge fines are likely to be imposed only in the most severe circumstances where companies have deliberately flouted the law and failed to involve their Data Protection Authority when they have encountered a data breach.
Instead, it is more likely that Data Protection Authorities will hand out fines proportionate to the level of harm to the data subject posed by non-compliant behaviour and will work closely with the company to prevent future non-compliance.
Small businesses are exempt
Organisations of any size are affected by the GDPR and have to comply with everything in it – there is a limited exception for SMEs concerning record-keeping, however, this exception applies only in specific circumstances.
The rest of the world will never introduce similar privacy laws
Already, non-EU countries are updating their own data protection legislation based on the GDPR model. This includes countries like Canada, China, India; even the United States are considering an update to their privacy laws. Many non-EU organisations have begun restricting access to their websites by EU residents to evade having to comply with the GDPR, but they may soon discover that they need to become compliant with an equally robust regulation in their own country.
GDPR only applies to data stored digitally
The GDPR is about all EU residents’ personal data, regardless of whether it’s stored online or in a filing cabinet. Likewise, the same GDPR requirements apply whether you’re taking information from your website, over the phone, or from a physical document.
You can refuse access to a service if users don’t consent to marketing cookies
‘Conditional consent’ or ‘Forced consent’ is no longer a valid form of consent under the GDPR.
GDPR won’t apply in the UK after Brexit
The UK has already introduced the Data Protection Act 2018, which updates the Data Protection Act 1998 to conform with the GDPR. Whilst the UK will be able to amend it after Brexit, it is unlikely that they will make significant changes since continued voluntary compliance with the GDPR is crucial to ensuring that UK and EU data transfers continue without issue.
Only the marketing department will be affected
Marketing departments in organisations around the world are no doubt eager to ensure their activities are compliant so they can continue doing their job effectively and legally. However, the GDPR reaches all levels of an organisation that store or access personal data in any regard – from HR departments handling employee data to logistics and supply chain departments managing deliveries to customers. It’s therefore essential that businesses understand the flow of data throughout the entire business and provide both basic and advanced GDPR training for staff wherever it is required.
Are you fully compliant? Find out more about how the Sovy GDPR Privacy EssentialsSM can help your business.