The General Data Protection Regulation (GDPR) became law on May 25, 2018. Ever since many organizations have strived to be compliant. They have adopted several changes to their policies and processes to meet the GDPR standards (read our GDPR guide). However, even after more than a year, there are still many common myths that surround the Regulation. This article discusses some of them.

Only Affects EU Organizations

GDPR’s territorial scope is broad. Any organization, regardless of location, is responsible for complying if they handle personal data of people in the EU.

Just About Fines

No. GDPR is not just about fines; neither is it enforced to punish organizations. The main aim is to protect the data. It aims to give people more control over their data and respect their privacy.

GDPR fines may be substantial, but there are other consequences, such as loss in trust and reputation. An organization can avoid fines if it is transparent and responsible.

Small Organizations are Exempted

Organizations, whether small or big, cannot escape the GDPR if it collects and processes personal data of people in the EU.

Brexit: UK’s GDPR Exit

Even after Brexit, the UK will still commit to the Regulation. They will have the same framework for data protection as the GDPR after Brexit.

Consent is a Must

  • Per Article 6, consent under GDPR is one of the six legal bases for processing personal data. Not the only one. As long as the organization identifies the basis for processing and follow it, it should be fine.
  • No need to refresh existing consent as long as it follows the GDPR conditions.

Everyone Should Hire a DPO

Not every organization has to hire a Data Protection Officer (DPO). If an organization deals with large-scale processing of personal data, especially sensitive, then it should appoint a DPO.

Data Breach: Report It All!

  • Another myth is that one needs to report all data breaches to the respective Authority. This is not true. Report data breaches that are likely to result in a risk to the affected people’s rights and freedom.
  • Data breach must be reported within 72 hours of becoming aware of it, and details related to it should be provided to the authority. However, there is no need to give details that are not readily available; it can be done later. The most important details are the cause, potential risk, action plan to tackle it, and whatever is immediately available in hand.
  • Not all data breaches will land organizations in trouble. If they are honest and cooperative and have an effective plan to mitigate the issue, fines can be avoided. As the GDPR states, “Tell it all, tell it fast, tell the truth.”

Compliance is Enough

Once compliant, one cannot just sit back and relax. Organizations should regularly review their compliance programs because GDPR is an ongoing process.

Only GDPR is Enough

Never. Even though the GDPR is designed as a regulation for the EU and the UK, there can still be separate additional standards regarding data protection set by different countries. An organization should follow these rules on top of the GDPR.

GDPR is an Unnecessary Burden

GDPR is not designed to be a burden on organizations. The law intends to empower people by protecting their rights and freedom. In any case, mishandling the personal data will tarnish an organization’s reputation and the trust people have in it. So, the Regulation is one way to enhance it.


Do not treat the GDPR as a burden but rather a responsibility that an organization needs to fulfill. The goal should be to make an organization’s processes safe and secure and build better relationships with the data subjects. Always remember – “data matters.” It is beneficial to keep a checklist for compliance. However, take every step with care and after proper research and guidance from professionals.

Disclaimer: This article is not legal advice. The sole purpose of the article is to share general information with the readers. For any legal query and help, please contact a lawyer or professional in the area.