The GDPR can be intimidating.
It has been around for almost four years, but one keeps hearing all sorts of different opinions.
And the advice found online doesn’t always help.
We get it.
To protect data subjects and guarantee their data sovereignty, the GDPR creates a fairly sophisticated framework. A layperson might not be familiar with much of the terminology used. And even lawyers can only speculate as to the scope of certain provisions.
But being confused by the GDPR’s intricacies is one thing.
Falling for myths that have been proven wrong is another.
In this article, we’ll cover 5 GDPR myths that have long been debunked – but that somehow are still popular.
Myth 1: The GDPR only applies within the EU
One might think the GDPR doesn’t apply outside the Union. After all, it’s a piece of EU legislation, isn’t it?
Indeed it is – but its territorial scope extends well beyond the borders of the Union.
According to Article 3, non-EU businesses have to comply with the Regulation when:
- They offer goods or services to people in the EU, and
- They monitor the behavior of people in the EU.
So do not assume that just because you are based outside the Union, you can happily forget about the GDPR.
Myth 2: The GDPR applies only to digital information
It’s understandable why people fall for this myth: the biggest dangers to data security and privacy arguably come from the net.
But the GDPR was intended to be technologically neutral. And as such, it doesn’t limit itself to regulating electronic files.
According to Article 2(1), the Regulation applies «to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.»
This means that if your paper documents form part (or you want them to form part) of a relevant filing system, they must be processed according to the GDPR.
Myth 3: The GDPR doesn’t apply to small businesses
This is a die-hard myth – and a dangerous one.
No matter how big or small a business is, the GDPR still applies.
If you don’t believe it, look at Article 2, defining the Regulation’s material scope. There’s no mention of size. And there’s no reference to the 250-employee threshold.
The article that does include this reference is Article 30(5), declaring that «the obligations [to maintain records of processing activities] shall not apply to an enterprise or an organisation employing fewer than 250 persons […].»
Said otherwise, the article only states that companies with fewer than 250 employees are exempted from keeping records of processing activities.
It doesn’t state anywhere that they don’t have to comply with the GDPR.
Myth 4: The GDPR doesn’t apply to individuals
Don’t be fooled by article 2(2)(d).
The provision indeed states that the GDPR «[…] does not apply to the processing of personal data […] by a natural person in the course of a purely personal or household activity.».
But this wording doesn’t mean natural persons shouldn’t care about the GDPR.
A natural person processing data in relation to an activity other than purely personal is still bound by the Regulation. This conclusion is supported by Article 4(7), according to which a data controller can be a natural person.
Stating that only businesses are liable for violating the GDPR is also incorrect.
It’s true that Article 83 talks about “total worldwide annual turnover,” suggesting lawmakers drafted that part of the provision with businesses in mind.
But a comprehensive reading of the article, with its mention of “administrative fines,” clarifies that individuals can also be subjected to sanctions for violating the GDPR.
Myth 5: Personal data is narrowly defined
We’ll never stress it enough: under the GDPR, “personal data” is not synonymous with “sensitive data.”
As all sensitive data is personal data, the two categories partially overlap: but the latter (“personal data”) is significantly broader than the former (“sensitive data”).
According to Article 4, GDPR, “personal data” means “any information relating to an identified or identifiable natural person.”
It’s a broad definition, and it embraces information few people would instinctively associate with the term “personal data” (such as IP addresses and location data).
Sensitive data, on the other hand, is described by Article 9 as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, […] genetic data, biometric data […], data concerning health or data concerning a natural person’s sex life or sexual orientation“
Because of its nature, sensitive data benefits from an additional layer of protection. But all personal data (including personal data that is not sensitive, such as email addresses, names, location data) has to be processed in accordance with the GDPR.
Conclusion: GDPR myths are dangerous
The GDPR is complex, and it can be hard to keep up with all its provisions.
At the same time, the Regulation is too important to be ignored or, worse, misunderstood. Businesses (and individuals) stand to lose a significant amount of money if they fail to comply with the GDPR’s provision. What’s worse, they could lose their customers’ and investors’.
Take the time to understand the basics of the GDPR and consult with a lawyer whenever in doubt.