Top GDPR Myths and Monsters

Published on January 25, 2017

There seems to be a lot of confusion around GDPR that needs to be clarified. Some are innocuous others are downright dangerous and could make companies non-compliant and open to heavy penalties. So far we have identified the following misconceptions, the list is no doubt likely to grow.

1. Automatic fines up to 4% or 20 million Euros for non-compliance to GDPR

Well, yes and no. This is the most severe penalty for most severe breaches due to non-compliance. To get the maximum fine you would have bodged it big time and you would deserve it. I doubt if it was minor infringement or oversight it would attract such harsh penalty. For smaller non-conformities, there is more likely to be warnings leading up to major fines for persistent violations. Watch out for early examples, which are likely to be large fines to set the tone.

2. GDPR does not apply to the UK as we are Brexiting

Not correct, as the ICO has stated that the UK will comply. Even if we did not, we would expect to have similar privacy protection in local laws, less we wanted to be treated as a country not having adequacy.

3. Everyone Needs a Data Protection Officer (DPO)

No, they don’t. A DPO is mandatory only under three specific circumstances. I explained and elaborated on the three situations where a DPO is required in my previous blog on the role of a DPO here and therefore will not repeat it here again. Please do check the other blog post if you are interested in the details.

If your organisation falls within those three categories of Controller or Processor then you must have a designated DPO.

4. Organisations with less than 250 employees do not need a DPO

Not true. This was from a draft article. Whether you need a DPO or not is entirely dependent on the type of processing you do and not the size of the organisation.

See my article at for more information on the circumstances under which an appointment of a DPO is mandatory and the attributes of a DPO.

5. The Compliance Date of 25th of May 2018 will be delayed.

Highly unlikely. Organisations had 2 years to prepare. GDPR was published in 2016 and actually came into force on 25th of May 2016 and is applicable from 25th May 2018. This means organisations should have started their compliance journey in 2016.

6. That the DPO is a person

The GDPR refers to the DPO and it can easily be misconstrued as a single person. It is not a person. It is a role or a function. If you think about it, it may be a fine case for a small organisation to have a single person or even share the role between organisations under contract. However for a for a large organisation with multiple jurisdictions, locations etc. it would simply not be possible for a single person to assume and competently discharge the duties of a DPO. Add to that the depth and breadth of knowledge required to discharge that duty, such as having some level of legal knowledge, IT, IT/Cyber/Information security, architecture, systems, gap analysis, DPIA, Risk Assessment and Management, secure development, incident management, stakeholder management for starters.

Therefore, rather than thinking that the DPO is a person, think of it as a role, a function, a centre of knowledge, such as Internal Audit or Compliance. Both have to be independent and conflict-free.

See our virtual DPO services at

7. GDPR ONLY applies to digital information

Not true. GDPR also applies to personal data in hardcopy or printed documents (See below). Applies to hardcopy documents, if they are in structured filing systems.

8. GDPR Applies to all hard-copy personal data

This not the case. The GDPR does not apply to all hard-copy (printed) information. It only applies to personal information in a “structured” filing system. Therefore, if you have ad-hoc papers containing personal information in a filing cabinet then this is not covered by GDPR. By structured, I believe it means having some sort of index that will allow easy access or search of the personal data based on some sort of index, e.g. documents sorted by names in an alphabetical order.

9. GDPR Does NOT apply to organisations with less than 5000 employees

Not true. Compliance requirements are dependent on the type of processing rather than size of the company. For example as a marketing company with 10 employees could be processing millions, if not hundreds of millions of records automatically. Automated processing allows for that. You do not need a super-computer or hundreds of staff to carry out this level of processing.

10. It is mandatory to register with the Supervisory Authority (e.g. the ICO)

Not so. Not required by the GDPR anyway. However, some, including the ICO may require registration in the future. The ICO is mulling registration.

11. You need Consent to process data

Not so, there are 5 other legal bases you can rely on to process data. Consent is only one of them.

12. You need Explicit Consent

No, not for ordinary personal data processing. Explicit consent is only required if you process “special categories” of personal data.

13. You need to hold an inventory of personal data

Not exactly. GDPR requires a record of processing activities, which should be much wider than an inventory as we understand it. It should include all your processing activities, reasons, legal bases, category, classifications, interfaces and so on.

14. GDPR will stop direct marketing

Not so, whilst GDPR applies to personal data digital marketing is governed by PECR. PECR dictates what you can and can’t do with digital communication. So you need to be aware of both and will need to ensure you have a concrete lawful basis to market. For example, you do not always need Consent and can rely on Legitimate Interest, however, it must be genuine and not a lazy reason to rely on it.

15. Business data does not contain personal data

Even business data can contain personal data. This is a grey area but you should nevertheless be cognisant of what constitutes personal data and the context of its use. The definition of personal data is wide. This is not the same a personally identifiable data. More to come.

See for a searchable list of Personal Data under GDPR

16. You cannot use your existing data

You can still use your existing data as long as it meets the GDPR requirements. So if you have a marketing database and you can prove that it is compliant with GDPR then you do not have to get rid of it. Ask yourself whether you can prove that you have GDPR compliant Consent to market, if consent is what you are relying on as a lawful basis? Although, the way you market will change. For other data types, you need to do the same, look at your Lawful Basis to start with.

17. You have to report every data breach to the ICO

Not all breaches have to be reported. Especially if they do not involve personal data. Even if a breach involves personal data, then you only need to report it if there is high risk to the data subjects privacy and rights.

18. You have to report everything within 72 hours

If possible, but with undue delay and within 72 hours if possible. The key is to be transparent to the Supervisory Authority. It is more important to report it first once you are aware of the breach and then provide the information as it comes into your possession.

19. Personal Data is the same as PII

Not so, Personal data is much wider than PII. Whereas PII data is data that identifies a person. Personal data is data that can directly or indirectly, in itself or with a combination of other data, including descriptors/attributes can identify an individual’s.

20. There are official GDPR DPO Certifications or Qualifications

Nope, there are no official GDPR DPO qualifications. Many organisations are touting their certifications/training as “DPO Ready”. This not so, there has not been yet and official curriculum for GDPR DPO certification that is approved by the EDPB.

21. GDPR does not apply to backup or archived data

Archived or backed up data, even if encrypted is still data considered to be being processed and therefore GDPR shall apply.

22. GDPR does not apply to encrypted data

GDPR applies but the data, if involved in a breach may not have to be reported as it is not accessible. The encryption obviously will have to be sufficiently strong have all the requisite controls around it such as key management etc.

redrik Norling – “I had a discussion with an it guy yesterday that was asking for how to encrypt all databases for gdpr because this was an example in the official document. I said you don’t need to, he didn’t believe me. Encrypting data on disk will only stop a file data breach. But how many of those are known? I think that most data breaches is thru the database server and then that data is already unencrypted. (edited)”

23. You require record of your processing activity

Yes and no. Not if you have less than 250 employees unless you are processing special categories of data/criminal convictions and whose processing of personal data is occasional and is unlikely to result in risks to data subjects.

I know it is stupid to exempt anyone from this requirement.

24. You need explicit Consent for Direct Marketing

No, Consent is not always required and it does not have to be explicit.

25. Explicit Consent is always required

No, only required for certain processing, such as for Special Categories of data.

26. ISO27001 is the same a GDPR

Not quite so. Whilst, there are some synergies especially in Articles 32, 33 and 34 which are concerning security and breach notification (incident management) the other articles to ISO27001 is highly tenuous. For example Records of Processing Activities is not same as an ISO27001 information asset register. The former is much wider and detailed.

Privacy by design is about privacy not about security but designing privacy controls derived from the DPIA. Sure some of it is security controls, such as access control etc.

ISO 13.2 speaks about Information Transfer and security of information but not in the sense of GDPR, but I can see how the transfer mechanism such as BCR could be built in. So whilst ISO27001 ISMS can be used to support and systematically manage GDPR as one of the compliance risks it is not GDPR.

27. GDPR is PCI-DSS without the Credit Cards

No. PIC-DSS has specific Requirements to protect credit card data and some of it is personal data. The primary objective PCI-DSS is to prevent credit-card fraud and is, therefore, more about security than privacy. It does not cover things like the subject’s rights, DPIA, PbD etc.

28. You have to keep all personal data in CSV format

I read this one on an “experts” blog. No, you do not have to. You only need to be able to provide it in the case of a Portability request in a suitable format.

29. Reconsent or delete all your data

Not always. You only need to reconsent if your current Consent does not meet GDPR consent standards. If you cannot prove your current consent is to the GDPR standard and you cannot obtain re-consent then you will need to delete the personal data.

See my article The Why, What, How, Where, When and Whom of GDPR

Published by Moyn Uddin on Cyber Counsel website. This list will be reviewed and updated. Please visit for the latest list and information on GDPR and Cyber Security.

Scroll to top