GDPR Dirty Dozen: Myths, Misconceptions, and Misunderstandings about GDPR

by | May 21, 2018

The General Data Protection Regulation will be enforceable from Friday, May 25. Consequently, there has been a lot of media coverage of this new European Union leglisation.

There are a lot of misconceptions concerning what GDPR actually states, whom it affects and how it will be implemented. Here are some myths, misconceptions and/or misunderstandings about GDPR.

Myth #1: Personal Data is limited to data that will identify specific individuals.

This is an American way of looking at data. So from an American point-of-view, Personally Identifiable Information (PII) includes information like address, email address, social security number and name. 

Under GDPR guidelines personal data includes much more than what an American company would typically consider PII. Personal data for GDPR purposes is defined in the Act as: “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”

An example of the difference between the typical American view and the restrictions under GDPR would be a company that gathers personal information on individuals that use their services and asks them what their current job without asking for any other information. This, in itself, is not Personal Data as it could not be used to simply identify who a person is. However, if the company also asks what company the person works for then the combination of information submitted qualifies it as Personal Data as it can be used to identify the person in question.

A good guideline is that just about any information about individuals that could be combined in some way to identify the individual should be considered PII. This is very broad in scope and includes theoretical methods of identifying individuals even if it is not practical and the data collector has no realistic chance of actually combining the data to identify an individual. For example, collecting IP addresses along with other data means that an organisation could in theory persuade an Internet service provider to reveal the names and addresses of its subscribers using their IP addresses. While highly unlikely and almost certainly completely illegal, it means that any data associated with IP addresses should be consider PII under GDPR.

Myth #2: There’s only one way to show consent.

Since GDPR changes issues of consent, there is much confusion regarding what constitutes consent. Many think those collecting data must have explicit, written, detailed consent to collect, process, store and use data.

GDPR actually states that consent must be sought. It must be given of your own accord and the consent must be informed. This means every business – that has employees and/or clients who are European Union citizens –  must provide clear, easy-to-understand information about their rights to data protection.

The document states in Article 4 paragraph 11 that consent must be “unambiguous”.

Explicit consent, on the other hand, is required if the data being processed is deemed “sensitive” under Article 9 paragraph 2. For every non-sensitive data as long as the consent to process is unambiguous, then that is acceptable. In the case of non-sensitive data, implied consent could be in the form of an individual’s actions that appear to indicate that individual agrees to collection and processing of personal data.

Myth #3: My business is not located in an European Union state so GDPR doesn’t affect me.

It doesn’t matter where your business is located. If you having any dealings with European Union citizens, then you are obligated to conform to GDPR guidelines. Before you cast GDPR aside consider this: If you have an online presence, chances are high that you trade with, employ, or sell to an EU citizen. Think about marketing email.  Consent or opting out must be explicit and informed. You will no longer be able to contact people via marketing communications unless you first get their consent to do so. Moreover, as of GDPR in late May, consent may be withdrawn at any time.

Businesses and organizations will be obligated to send out a form asking for permission to collect, process, store and use personal data.

Myth #4: New staff will have to be hired to deal with issues regarding GDPR.

Someone in your company will have to receive requests, monitor use of personal data, set up company accountability to GDPR. These are usually responsibilities of a data controller and a data processor. The latter collects, stores and uses personal data. The former is responsible for making sure the company is GDPR compliant. The data controller might be a legal person or group that makes decisions about how and why data is collected and used. Both data controller and data processor roles might be assigned to individuals already in the employ or on contract to the company.

Likewise a company may hire the services of a data protection officer from a company or designate that job to someone already on the payroll. Hiring additional staff for any of these three positions is rarely necessary. You may appoint existing employees to take on these rolls.

Myth #5: Data breaches as outlined in GDPR guidelines will cost the company €20m or 4% of its annual income.

This information has sent many companies scrambling to comply by May 25. Yes these figures are mentioned in GDPR. However, data breaches are not all punishable by this degree.

First tier fines are not cybercrimes. They can be levied fines of the higher of: up to €10m or 2% of the annual income.

Second tier fines are up to €20m or 4% of your annual income —whichever is higher.

The tier and the level of the fine depend on the level of security in your company and how many people had their data compromised.

One of the biggest concerns, and one which will certainly affect the fine, is how secure your system is and how quickly you inform GDPR security officials of the breach.

Myth #6 When the United Kingdom secedes from the European Union, GDPR will be null and void.

Any company anywhere in the world, including in the UK, will still have to conform to GDPR guidelines if it does any business with employees or clients who are EU citizens. Even if your country, likethe UK and Australia, has its own data protection document, you are still under GDPR guidelines if your company does business with EU citizens. The UK’s Data Protection Plan is really an enhanced version of GDPR anyhow so whether UK withdraws from EU or not is a moot point. Complying with GDPR will put UK companies in a good position for when the Data Protection Bill comes into effect.

Myth #7: An individual’s Right to Access is a given.

It is a common misconception that every EU citizen who requests access to his personal data file must immediately be given that access immediately. Yes, under GDPR there are new guidelines about the right to access.

First, if a right to access is requested the company or organization holding the personal data file must provide this free of charge. Anyone who is an EU citizen and whose data is in a file in any company or enterprise may request access. Right to access will also be easier to apply for under GDPR regulations.

Access is not necessarily immediate. The organization has up to a month to comply. If there are special circumstances, or the request is deemed unfounded, they may have up to two months. The individual may be asked to fill out additional access request forms. The request must be written.

Requests are not always granted. For example: if a request is seen as unfounded, repetitive, or unduly excessive, it may be denied.  If this occurs, the data subject must be given alternatives. They may contract a judicial body or a supervisory authority to contest the denial of access.

Requesting individuals may also be denied access to their personal data would “adversely affect the rights and freedoms of others”. Under this category might be conflict of interest, jeopardy of trade secrets or IP rights compromising.

It is the right of the company’s data controller to grant or refuse an individual’s right to access. If that right is denied a reason must be given and the means to appeal clearly stated.


Myth #8: If data of minors is being collected, parental consent must be evident.

Parental consent is definitely required for anything related to marketing to children. This appears to be the primary objective of the parental consent sections of the GDPR guidelines and is specifically identified in Recital 38 as “personal data of children for the purposes of marketing or creating personality or user profiles “. However,pParental consent is not always needed under GDPR guidelines. If processing is based on the compliance of a legal obligation then parental consent is not required. So for example, airlines are required by law to gather certain information about all passengers, including minors. Parental consent is not required for the provision of government service such as healthcare, social services, and education. Recital 38 also specifically identifies services that may be provided to a child in certain circumstances without the knowledge of parents “The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”. Parental consent is also not required if this data is in vital or special interests according to Article 8, paragraph 1.

Myth #9: The prime reason for GDPR is security.

GDPR is concerned with individuals’ rights to security of their personal data. So that of course means that companies need to improve the information technology security. So that means stopping external threats like network intrusions (with software) but also stopping internal threats like staff responding to phishing attacks (with training). However, there is more to it than just security. Organizations are expected to implement privacy by design and by default. That should mean that companies reduce their risk by reducing the amount of data they hold on customers or potential customers in Europe. This is known as minimization. Companies also need to look at data pseudonymization where the value of the data is statistical and personal details do not add value. And finally, companies need to review who has access to customer data and implement need-to-know policies to minimise risk.

Myth #10 Data Storage and Retention is not an issue for my company.

If you think your company is immune to issues about what to retain and how to do so, you are probably wrong.

Data retention involves decisions about what to keep and what to destroy. Moreover, in its policies, businesses must give thought to when and in what manner documents will be destroyed and why and how documents will be retained.

Every organization that has any dealings with or employs EU citizens—anywhere in the world—must be in compliance with GDPR guidelines. These regulations are not just for EU states. The company retention policy must be made crystal clear to clients, employees and tradespeople with whom your business deals.

Key decisions must be made in accordance with the data storage and retention document your company crafted. Your appointed Data Controller will be tasked with ensuring your company follows its policy and GDPR guidelines.

Whether your enterprise stores data in-house or outsources storage space, the security of these files is critical. Both hard copies and digital copies must be securely archived. The more records your company opts to retain, the greater the physical space and the security needed for this task. Thus, it is a budget concern. Also a concern is who has access and how is this access controlled.

Implementing a new, solid retention policy is a must if you have any dealings with EU citizens. A solid plan well enforced will protect your company from hackers. A good plan avoids GDPR prosecution. It also ensures you do not lose valuable documents. When your company rethinks its retention policy it forces the company to reconsider retained files and what should be erased simply because it is no longer needed.

Myth #11: Businesses that collect data on clients or employees have no obligation to share that information with these people.

At the end of May, the General Data Protection Regulations go into effect in all European Union states. These regulations are aimed at greater protection of the data of EU citizens anywhere they live. One of the main facets of GDPR legislation is Data Subject Access Request (DSAR). This means that all EU citizens who have data collected by any business or enterprise can check to ensure that their data is being processed legally. This is just one of the rights of data subjects that GDPR has strengthened. Harsh penalties for non-compliance are intended to emphasize the severity of failure to provide DSAR.

Under GDPR, there are several changes. Businesses will continue to be able to ask for personal data from employees and clients. However, DSAR procedures within the company must be updated to reflect GDPR changes. Employers will have up to a month to respond to DSAR. They may not charge for time and labour required unless it can be shown by the Data Controller that the request is repetitive, unfounded, or unrealistic.

Companies will have to make decisions about what they collect, how it is processed, what they are using this data for, and how/if it will be retained.

There is a new emphasis on subject rights to examine their data, have it moved to another company, request revisions, corrections, additions, or even erasure of data. Moreover, data subjects must receive clear easy-to-understand information about each of these rights including DSAR.

In order to comply with DSAR and other employee/client rights, companies need to update their policies.

  • Staff must receive GDPR training so that they know data subject rights and how to respond to such things as DSAR.
  • Businesses need to have in place a procedure for receiving and responding to data subject requests. They need to have appointed someone in the company who will act as Data Controller who will handle such requests as DSAR.

Myth #12: There is no cause for concern. Businesses need not fear GDPR penalties for non-compliance.

In fact, a lot of companies are beginning to panic about the self-reporting of breaches in security of personal data.  

As of May 25, The General Data Protection Regulation (GDPR) goes into effect in all European Union states. What many organizations do not realize is that if they have any dealings with employees or clients who are European Union citizens, their company must comply with GDPR legislation.

What is a breach? According to GDPR legislation “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Before GDPR those embarrassing breaches might well have been swept under the carpet. However, the increased risk of large fines makes non-reporting a serious problem.

There is a new responsibility for companies. They must report any breaches or oversights in data protection. If they do not do so, they face severe penalties. Not only is the price of steep fines which could reach maximums of €20m a concern. The media coverage of these infractions and consequent penalties could hurt the company’s reputation.

Employee infractions, deliberate or accidental, may result in company fines such as the recent occurrence at Morrison’s. An employee’s deliberate disclosure of a staff member’s personal data ended with over five thousand employee demands for compensation. If this were to occur once GDPR is in effect, the company would also be facing a fine as well as staff members’ compensation costs.

As of May 25, Data Controllers in each company will be expected to notify the infractions control officer (ICO) of breaches immediately. The Controller has 72 hours to make the report after the breach is discovered. Any further delay is apt to result in significant fines. Employees will be tasked with informing their Data Controller of a data breach. If the breach is unlikely to pose a real security risk, the Data Controller is not obligated to inform the ICO.

Penalties for Tier One data breaches, the most serious, can result in the Data Controller and the company being fined up to €20m. Tier Two data breaches—less serious—may be fined up to €10m.  


GDPR is not a long document. However, it is technical, complex, and it is new. It is only natural that misconceptions and misunderstandings will occur. What is not a myth is that GDPR will have a significant impact on the data rights of individuals living in the European Union. Most organisations will need to change the way that they handle personal data and some functions in organisations such as sales and marketing will have to make significant changes to their day to day operations. 

Related GDRP Articles

GDPR Compliance Checklist


GDPR for US Companies

GDPR for Small Business

GDPR Email Requirements

GDPR Training

GDPR EU Representative

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy