5 myths you are likely to believe about the GDPR

The General Data Protection Regulation (GDPR) was introduced in 2018 with the aim of giving European citizens more control over their personal data. The regulation applies to any company that processes data from individuals in the EU, regardless of whether the company is based inside or outside the EU.

Although the GDPR has generally been well received, there are still many myths and misunderstandings about what it entails. In this blog post, we debunk some of the most common GDPR myths and help you better understand the regulation.

Myth #1: GDPR only applies to companies based in the EU

This is a widespread myth that is often discussed in the business world. Many mistakenly believe that the GDPR only applies to companies based in the European Union (EU). However, this is not true. As mentioned, the GDPR applies to any company that processes data from individuals in the EU, regardless of whether the company is based inside or outside the EU. So if your company has customers in Europe, you must comply with the GDPR.

This also applies to companies that do not have a presence in the EU but offer their products or services to EU citizens. It is important for companies worldwide to be aware of this and ensure that they meet GDPR requirements to avoid penalties and fines.

Myth #2: Only large companies are affected by fines

This is not entirely accurate. Under the GDPR, all organisations that collect, process, and store personal data face fines for non-compliance, regardless of their size or type. This includes small and medium-sized enterprises, charities, government agencies, and other entities that process personal data.

The GDPR provides for a tiered system of fines based on the severity of the violation, and the size and financial resources of the organization are taken into account when determining the amount of the fine. However, the GDPR makes it clear that fines are not the only penalty for non-compliance with the regulations. Supervisory authorities have a range of enforcement tools at their disposal, such as ordering organizations to cease data processing or delete personal data, and imposing a temporary or permanent ban on data processing activities.

Myth #3: GDPR means I can't send marketing emails without explicit consent from everyone on my mailing list

Fact! You can continue to send marketing emails after the GDPR, but you must have a lawful basis for doing so. One of the legal grounds for processing personal data is "legitimate interest." This means that in Germany, you can send marketing emails to people who are already customers, provided they had the opportunity to opt out of receiving such emails and other specific criteria set out in German competition law are met. You must also obtain explicit consent from individuals before sending them marketing emails if you do not have a basis for legitimate interest. For example, if someone has unsubscribed from your mailing list, you need their explicit consent before adding them back to your list. Even if someone has given their consent to receive marketing emails, they can revoke their consent at any time by using the "unsubscribe" link in your emails or contacting you directly.

Myth #4: Compliance with the GDPR is expensive and time-consuming

A common myth surrounding GDPR is that compliance with its regulations is expensive and time-consuming. While it is true that implementing the necessary measures requires some effort, the costs and time involved are usually manageable and can even lead to long-term savings.

Like any major compliance initiative, complying with GDPR requires an initial investment of time and money. However, once you have established guidelines and procedures for data protection and trained your employees accordingly - which can be facilitated by hiring an external data protection officer with expertise - complying with GDPR should not cause significant costs or time consumption.

A good way to save time and money is to rely on pre-made data protection tools like heyData. With heyData, you can quickly and easily take the necessary data protection measures and ensure GDPR compliance. The data protection software can, for example, help you automatically generate your privacy policy, conduct data protection impact assessments, log your data processing activities, and much more. This not only saves you time and money but also minimises the risk of fines and legal consequences. Therefore, the myth of expensive and time-consuming GDPR compliance is not necessarily true in reality.

Myth #5: All company data processing activities require the DPO's consent

Under GDPR, companies must ensure that they protect the personal data they process and ensure compliance with data protection laws. The most common question companies have is whether they need the consent of the Data Protection Officer (DPO) to carry out all their data processing activities.

The answer is no. If a company is not required to appoint a DPO, it is not necessary to obtain the DPO's consent for all data processing activities. However, the DPO is responsible for ensuring that the company complies with GDPR. Companies must also ensure that they have a suitable legal basis for processing personal data, such as obtaining the data subject's consent or fulfilling a contract. There are also certain data processing activities that can be carried out without consent, such as fulfilling legal obligations or pursuing legitimate interests.

Overall, companies do not need the DPO's consent for all data processing activities. Instead, they must ensure that they comply with GDPR and have a suitable legal basis for their data processing activities.

Conclusion

Even five years after the introduction of GDPR, there is still confusion surrounding GDPR. We hope that this blog post has helped dispel some of the myths surrounding the regulation. If you are still unsure how GDPR applies to your business or what steps you need to take to comply with its regulations, contact heyData's data protection experts – we are happy to help!