8 Most Common Misconceptions About GDPR Compliance

8 Most Common Misconceptions About GDPR Compliance

GDPR compliance refers to adhering to the General Data Protection Regulation (GDPR), which is a comprehensive and far-reaching data protection and privacy law in the European Union (EU). It became enforceable on May 25, 2018, and applies to organizations, both within and outside the EU, that process the personal data of EU residents.

GDPR compliance is not a one-time task but an ongoing commitment to protecting individuals’ data privacy. It requires a combination of legal, technical, and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. Many organizations, both in and outside the EU, have had to adapt their processes and policies to meet GDPR requirements to avoid penalties and maintain the trust of their customers.

GDPR Breach news

  1. As a small business, I am only processing a limited amount of data, there is little to no risk.

Article 4(1) and (2) of the GDPR provides the definitions of “personal data” and “processing”. While the content of the compliance obligations may defer (s. 2 below) there is no distinction between “large” amounts of data or “small” amounts of data. Rather, any processing of personal data will trigger compliance obligations.

2. If I have less than 250 employees, I don’t need to do anything!

The derogation provided by Article 30(5) of the GDRP is in relation to Records of processing activities only (there are other compliance obligations!) AND it is not absolute!

3. The Data Protection Authority does not go after small businesses, but rather big corporations/large enterprises.

When it comes to applying fines, the GDPR does not distinguish according on the size of the company, but rather the fines are up to 4% of the annual worldwide turnover in the preceding financial year. While it is true, in absolute amounts fines will be larger for large companies, we have to ask:

What is the impact of the 4% in your cash flow?

4. I bought a DIY GDPR package (it cost me an arm and a leg), but at least I’m covered.

If you haven’t purchased this package from a qualified attorney-at-law or a certified privacy professional, at least, and if they did not perform actual interviews and assessments with you and your team to understand your factual situation and understand the specific circumstances of your data processing activities, then you are not compliant or legally protected. Consider it a sunk cost (and, still, a huge liability!).

5. I have a privacy policy, I generated it on X website, with Y AI tool, I’m compliant.

A privacy policy is only one item of the GDPR Compliance Program you should have in place, including as a small business. In addition, there is a distinction between a “privacy policy” and a “privacy notice”/“privacy statement” – are you sure you have both?

6. I only save my customers’ data locally, on my own… computer, server… (God knows where…)

Article 32(1) of the GDPR imposes the obligation, on both controllers and processors, to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

In practice, only a factual assessment of your processing activities is conducive to the conclusion of what type and how far your security measures should go and whether or not simply storing on a secured server/cloud will suffice. Often times, in our initial assessments we discovered data is scattered and there is lack of awareness within the organization.

7. I am not in the EU, I/we are in the USA, Canada, Australia… the EU GDPR does not apply to me/us

The applicability of the GDPR to you as a small business outside of the European Union depends not on your jurisdiction of incorporation or where your main seat it, but rather on what your processing activities relate to: are you targeting EU customers?

8. How am I liable towards my clients aka corporations? – this is for those of you who serve enterprises, businesses, work B2B

This is a fallacy. We call it the “enterprise serving fallacy”.

If you are processing personal data of individuals, employees of an enterprise that hired you to provide certain services, you are liable FIRST & FOREMOST towards those data subjects. They are and should always be your number one concern because the GDPR is aimed at protecting the personal data of individuals.

In case of a data breach, you are liable for the ENTIRE DAMAGE (whether you were a controller or a processor!) and, thereafter, depending on the circumstances of the case, towards your business partners aka corporate clients, companies to which you provided those specific services, etc.

Here are some products from my shop that cover GDPR compliance:


Cookie Policy



Leave a Comment

Your email address will not be published. Required fields are marked *