keyboard_backspaceBack to main blog page


A guide of business rules...

Common Myths and Misconceptions About GDPR Compliance

Lan Bell Lan Bell , 6/14/2018
This content has not been rated yet.

The deadline for GDPR has now passed, so any company that is not in compliance can potentially be issued with a major fine. Many companies have yet to comply with GDPR due to misconceptions about what is required. To help clear up confusion, some of the most common GDPR myths and misconceptions are detailed below.

Common Misconceptions About GDPR

Listed below are some of the common misconceptions about GDPR that could land companies in hot water.

GDPR Only Applies to Companies Based in the EU

GDPR is an EU directive, so why should companies based in other countries have to comply with GDPR? They don’t, if they have no dealings with EU residents that require the collection or processing of personal data. If they do, then compliance is mandatory. That also includes businesses that maintain websites that can be accessed by EU residents.

Small Businesses Are Exempt

A casual glance at Article 30 of GDPR may lead you to believe that small businesses, those with fewer than 250 employees, do not need to comply with GDPR. Small businesses are treated slightly differently and do not – except in certain circumstances – need to comply with the reporting requirements of GDPR detailed in Article 30, but they are required to comply with other provisions of GDPR.

Data Processing Agreements Are Not Needed

If you are a data controller, you must still have an agreement in place with the data processor. Data processors can be fined directly under GDPR, but that does not put data controllers in the clear. Contracts still need to be in place. Additionally, data processors should only be used if they can provide sufficient guarantees that they have the appropriate organizational and technical measures in place to meet the requirements of GDPR.

Previous Consent Obtained from Customers is Sufficient

If you have previously obtained consent to process personal data of data subjects, your previous consent forms may be compliant with GDPR, but chances are they are not. GDPR compliant consent means an individual must have clearly given their consent to allow their data to be used, which means the uses must have been clearly explained.


Consent must have been obtained through a clear, affirmative action. If you relied on silence meaning consent or continued use of a website constituting consent to a privacy policy, additional consent will most likely be required to continue to process past customers’ data.

Brexit Means UK Companies Do Not Need to Comply with GDPR

UK is an EU Member State at the time of the GDPR compliance deadline so compliance with GDPR is mandatory. Even though the UK has its own data protection laws, GDPR still applies. Even Brexit will not make a great deal of difference. Companies will still be required to comply with GDPR if they employ any EU citizens or do business with EU residents.

Once Consent is Obtained, Data Can be Stored and Processed Indefinitely

Data retention policies and procedures must be developed and implemented, and data subjects must be informed about how data will be used and for how long. Companies do not have a right to retain personal data indefinitely. Personal data should only be retained for as long as necessary to complete the tasks for which the data were collected, after which, data should be destroyed or deleted securely.

Personal Data Only Includes Standard Personally Identifiable Information

The definition of personal data has been expanded under GDPR. The previous EU regulation that GDPR replaced regarded personal information as name, age, date of birth, gender, ethnicity, address, and job title. Now personal data includes all of the above plus biometric data, medical information, pseudonymous data, and personal metadata.


Under GDPR, personal data are “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.” That includes an individual’s IP address for example.