GDPR Myths Busted

The introduction (and panic in some quarters) that occurred with the coming into force of the GDPR last year also resulted in myths or opinions being generated about the new data protection regulations. While some were misinterpretations of true fact others were simply hearsay. This article we will look a little at some of the myths / opinions surrounding the GDPR and see if they have any validity.  

“GDPR is a bad thing”

This is a matter of opinion. Many argue that the GDPR is another burden on business and restricts innovation. In my opinion, new legislation was required as it had been nearly 15 years since the last EU data regulation update and a lot has happened since then. Primarily technology had changed from simple phones and slow internet to 5G mobile smart phones and high-speed fibre broadband, with people spending more and more hours online generating personal data. This is evident as the volume of data processing has increased dramatically from 2003, 9.7% online globally vs 54.5% in 2018. Personal data is big business and individuals (data subjects) needed to be protected and have rights with regard to their data in this changing environment. 

On the company level, I would also argue that when data protection is front and centre of a business’ work, it is an added benefit of trusting and working with that company. It is only common sense that individuals would like to know how their data is used, alter it, access it when possible and a business who does this is displaying accountability (toward their data subjects) and responsibility (with their internal systems for facilitating these rights). 

“GDPR is solely about getting consent”
This is definitely false. Data protection isn’t just about getting consent to process data as, sometimes consent will not be the appropriate legal basis. Imagine if you used consent for CCTV in a retail space – this would not be feasible. There are other legal bases for processing such as legal obligation, vital interest, public task, contract or legitimate interest. 

“GDPR won’t let me take photos at a confirmation or another public event”

This is false in regards to photos that are taken for family reasons only and fall under the ‘household exemption’ under the GDPR. There was a lot of media discussion on this earlier this year but the Data Protection Commission mentioned that “This type of activity falls under the so-called “household exemption” under the GDPR, which provides that the GDPR does not apply when a person processes personal data (for example, a photograph of someone) in the course of a purely personal or household activity, e.g. with no connection to a professional, business, official or commercial activity.” ( 2019)

Further information on this topic, from the Data Protection Commission’s website, is available here

“GDPR imposes big fines”

This is very true. The article last week dealt with this. To read see here. The fines can be as high as €20 Million or in the case of an undertaking, up to 4% of the total worldwide annual turnover. There have been many high scale breaches to date and there will be  more. 

The best way to avoid fines is to be compliant with the GDPR and data protection legislation by following the rights, principles, obligations, legal basis and other areas as required. 

“We keep all our documents in a filing cabinet and we are therefore GDPR compliant!”
Neither true nor false. Keeping documents containing personal data in a locked filing cabinet may keep them secure (if they are in a restricted area and access is controlled) but the key part is what information is in the documents held in the cabinet. If you have legal basis for processing that information, you only store for the period required, the data stored is not excessive, kept secure, in an organised filing system and is used only for purpose collected then you may be fine. However, if that locked cabinet contains documents with data, you have no legal basis for or its excessive or stored too long, then you have a problem and you are not GDPR compliant. Know what data you have through a data audit flow map exercise and have a retention schedule for staff to know what documents you have, why you keep them and how you dispose of them.

“My staff do not need GDPR training”
False.  Awareness Level Training for all employees is critical for compliance efforts with GDPR. Staff need to know their roles and responsibilities about the data they process and among other things also to understand the rights they have as data subjects. Staff lack of knowledge can be seen as lack of accountability and security. Breaches of personal data will occur if staff do not know how what the company’s policies and procedures. Furthermore, the facilitation of data privacy rights by the company (such as the right of access by data subjects) will be hampered if staff don’t understand their roles in assisting the use of this right or when the right does not apply data from their area. 

It is also worth noting that when employees frequently process Special Category data, such as health data, this processing demands the highest levels of protection and control. It will also require the use of both a legal basis and a special condition as laid down by the GDPR.

GDPR might seem overwhelming but understanding the facts of the data protection regulation is the path to compliance. Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email We would love to hear from you!

Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers. 

Kenneth Baker