GDPR Myths Still Exist a Year Later

gdpr myths eu flag

It’s been a year since the General Data Protection Regulation (GDPR) went into effect, but individuals and businesses still have misconceptions surrounding it.

Here are six common myths about the GDPR:

  1. The large fines are just a threat.

    Pre-GDPR, there was a lot of buzz about the extremely heavy fines that could be placed on businesses that failed to comply with the regulations. (Fines can be up to €20 million or 4% of the company’s global annual revenue of the prior financial year.) Some companies believed it was simply a threat that couldn’t be carried out.

    However, France’s data protection agency, CNIL, fined Google €50 million (about $56.8 million USD) for noncompliance earlier this year. While this is far less than 4% of Google’s annual global revenue, the fine marked the first time a major tech company was penalized under the new regulations. Fines have also been levied against smaller businesses including a German social network platform and an Austrian sports betting café.

  2. The GDPR won’t apply to the UK after Brexit.

    This may be wishful thinking on the part of business owners who don’t want the hassle of achieving GDPR compliance. UK businesses will have the exact same compliance requirements after Brexit as they did before. No matter where a company is located, it’s required to comply with GDPR legislation when interacting with EU residents.

  3. Once you’re compliant, you can stop worrying.

    Great, you’re compliant! However, maintaining compliance with the GDPR is an ongoing process. Businesses must ensure that they’re taking regular steps to keep personal data secure. Cyber security breaches and using third party services, such as when employees share files via internal communication tools like Slack and DropBox, can pose huge risks.

    For example, the British government inadvertently leaked official documents by uploading files to public Trello boards. A simple Google search for these reports revealed sensitive data including communications with counter-terrorism officers.

  4. The GDPR is just a way to punish organizations.

    The GDPR’s primary objective is to protect consumer data. Because previous rules surrounding data protection had become extremely outdated, they afforded little protection to consumers.

    While it’s true that the legislation has provided regulators with greater powers to fine organizations, it has also created a consistent framework for companies to operate in. This allows companies to better understand privacy expectations and requirements.

  5. Because of the GDPR, consent must be explicitly obtained.

    One of the most common GDPR myths is that consumers always need to give explicit consent in order to receive marketing emails. Organizations can actually utilize a clause that allows them to contact individuals if there’s legitimate interest from the individual. However, it’s important to note that businesses cannot use this clause as a catch-all. By choosing to rely on legitimate interests, you are taking on extra responsibility for protecting people’s privacy rights.

  6. All organizations need to appoint a DPO.

    Although the GDPR makes reference to the importance of a Data Protection Officer (DPO), your organization may not need one. If you are a public body that processes data, your core activities involve regular monitoring of data subjects, or you process sensitive data on a large scale, you will typically need a DPO.


Getting It Right

Getting compliance right will help you avoid the risk of large fines and give your business added security. Ensuring data privacy is the key.

Make sure your organization is protected with Cyber Security Tools for Today’s Environment, an 11-course program from IEEE. The program covers cloud security, cryptography fundamentals, mobile device security, and more. It’s intended for professionals in IT, computer science, and related fields. Upon successful completion, your engineers will receive valuable CEUs/PDHs that can be used to maintain engineering licenses. Connect with an IEEE Content Specialist for details today.


James, Mike. (21 Apr 2019). Six Myths People Still Believe About GDPR. Tripwire.

Walker, Dale. (2 Apr 2019). GDPR and Brexit: How will one affect the other?. ITPro.

Bisson, David. (26 Nov 2018). German Social Media Provider Fined €20K for Data Breach. Tripwire.

Smith, Dan. (16 Nov 2018). Think You Ticked All the Boxes for GDPR? Think Again. Entrepreneur Europe.

EDPB. (12 Sept 2018). First Austrian Fine: CCTV Coverage – Summary. European Data Protection Board.

Grauer, Yael. (16 Aug 2018). British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet. The Intercept.

Fines and Penalties. GDPR

Legitimate Interests. ICO.

, , , , , ,


  1. Three Major Roadblocks Affecting Autonomous Vehicle Growth - IEEE Innovation at Work - August 12, 2019

    […] etc.? And how is consent from the end-user being collected (or is it being collected?) In a post-GDPR world, understanding data privacy issues related to AVs is a pressing […]

  2. What To Know About China’s New Data Privacy Laws - IEEE Innovation at Work - December 13, 2021

    […] to the European Union’s General Data Protection Regulation (GDPR), China’s PIPL, which came into full force in November 2021, hands more rights to Chinese […]

  3. How Does China’s New Data Privacy Law Compare with the EU’s GDPR? - IEEE Innovation at Work - February 1, 2022

    […] went into effect on 1 November 2021. The law shares much in common with the European Union’s General Data Protection Regulation (GDPR), which has become a model for governments seeking to protect the data privacy of their citizens. […]

Leave a Reply