You've no doubt heard some of the many GDPR myths - fines to bankrupt you, consent required for all manner of data processing activities, the death of email marketing - but the reality is, the GDPR is a good thing for business. We debunk the eight most common GDPR myths below.
You always require explicit consent
You do need explicit consent for certain activities, such as marketing or tracking via third-party companies. However, many data storage and processing activities will fall under one of the six lawful bases of processing.
It only applies to companies in the EU
The GDPR protects the data of EU residents and applies to any organisation that processes or stores their data. This means that even companies based outside of the EU could face legal action. In the event of failing to comply with the GDPR when processing or storing the personal data of EU residents.
You’ll face fines that could bankrupt you if you make a mistake
The GDPR has indeed given Data Protection Authorities (DPAs) the power to apply fines. These can rise to up to 4% a company’s annual turnover or €20 million, whichever is greater. However, these huge fines are likely to be imposed only in the most severe circumstances where companies have deliberately flouted the law and failed to involve their DPA when they have encountered a data breach.
Instead, it is more likely that the DPAs will hand out fines proportionate to the level of harm to the data subject posed by non-compliant behaviour. Also, they and will work closely with the company to prevent future non-compliance.
Small businesses are exempt
Organisations of any size are affected by the GDPR and have to comply with everything in it. There is a limited exception for SMEs concerning record-keeping, however, this exception applies only in specific circumstances.
The rest of the world will never introduce similar privacy laws
Already, non-EU countries are updating their own data protection legislation based on the GDPR model. This includes countries like Canada, China, India, Brazil. Many non-EU organisations have begun restricting access to their websites by EU residents to evade having to comply with the GDPR, but they may soon discover that they need to become compliant with an equally robust regulation in their own country.
GDPR only applies to data stored digitally
This is one of the GDPR myths very popular among businesses. The GDPR is about all EU residents' personal data, regardless of whether it's stored online or in a filing cabinet. Likewise, the same GDPR requirements apply whether you're taking information from your website, over the phone, or from a physical document.
You can refuse access to a service if users don’t consent to marketing cookies
'Conditional consent' or 'Forced consent' is no longer a valid form of consent under the GDPR.
If you want to use cookies, you must obtain the user’s consent. Users should have a clear, and easily understood, yes or no option. It is also important to ensure you provide accurate information about the data each cookie tracks and its purpose.
Only the marketing department will be affected
Marketing departments in organisations around the world are no doubt eager to ensure their activities are compliant so they can continue doing their job effectively and legally. However, the GDPR reaches all levels of an organisation that store or access personal data in any regard. From HR departments handling employee data to logistics and supply chain departments managing deliveries to customers. It’s therefore essential that businesses understand the flow of data throughout the entire business and provide both basic and advanced GDPR training for staff wherever it is required.
Are you fully compliant? Find out more about how the Sovy GDPR Privacy Essentials can help your business.
Last updated: June 15, 2021