GDPR has become one of the most talked about and misunderstood pieces of legislation in recent years. In this blog post, we will discuss some of the most common misconceptions about GDPR and provide a better understanding of the regulation.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that came into effect on May 25, 2018. It replaces the 1995 Data Protection Directive and aims to protect the privacy and personal data of individuals in the EU.

Common Misconceptions

The EU GDPR applies within the UK

A common mistake, but the UK has its own Data Regulations – UK GDPR 2021, enforced post-Brexit. The UK also used to be under the purview of the Data Protection Act, but that has come under the umbrella of the UK GDPR.

GDPR only applies to EU businesses

One of the most common misconceptions about GDPR is that it only applies to businesses based in the EU. This is not the case. GDPR applies to any business that processes personal data of individuals in the EU, regardless of the location of the business. This means that even if a business is based outside of the EU, it must still comply with GDPR if it processes personal data of EU citizens.

GDPR is only concerned with data privacy

Another misconception about GDPR is that it is only concerned with data privacy. While data privacy is a crucial aspect of GDPR, the regulation covers much more than just this. GDPR also governs the collection, storage, processing, and transfer of personal data, ensuring that individuals have control over their own data and can request access to it. Additionally, GDPR requires businesses to take steps to ensure that personal data is protected from unauthorised access, theft, or loss.

GDPR only affects large businesses

A third misconception about GDPR is that it only affects large businesses. This is not the case. GDPR applies to all businesses, regardless of size, that process personal data of individuals in the EU. Small businesses, as well as large ones, must comply with the regulation and take steps to protect personal data.

GDPR is too complicated to understand and implement

While GDPR is a complex piece of legislation, it is not too complicated to understand and implement. There are numerous resources available, such as guidance from the Information Commissioner’s Office (ICO) in the UK, that can help businesses understand their obligations under GDPR. Additionally, many companies offer GDPR-compliant solutions that can assist with implementation.

GDPR fines are excessive

Another misconception about GDPR is that the fines for non-compliance are excessive. While GDPR allows for substantial fines, up to 4% of a company’s global annual revenue or €20 million (whichever is greater), these fines are only imposed in the most serious cases of non-compliance. The ICO has emphasised that fines should be proportionate and that its focus is on encouraging compliance through education and support rather than imposing fines.

How to comply with the EU GDPR?

The GDPR is a complex piece of legislation that has been subject to a number of misconceptions. However, by understanding the regulation and taking steps to comply with it, businesses can ensure that they protect the personal data of individuals in the EU and avoid fines for non-compliance.

If you’re not certain whether the EU GDPR applies to you, or what you should do if it does, please contact us below for advice.