Common Myths about the European Union’s GDPR

The EU General Data Protection Regulation (GDPR) came to force on the 25th of May 2018. Since then, businesses have spent billions of dollars to ensure compliance with the new laws. Just the top 500 U.S. companies spent approximately 7.8 billion USD to comply with the strict terms of the GDPR. Despite the widespread media coverage of the GDPR, many myths still surround this rather new EU law. In this article, we discuss some of them.

Myth 1: GDPR is an EU law that does not apply to non-EU businesses.

The principle of territoriality is often applied in the field of law. It means that legal instruments utilized in one country are legitimate only in that country. For example, a U.S. patent grants patent protection in the United States only. However, the authors of the GDPR decided to take a different approach in order to guarantee that unscrupulous foreign companies will not use the personal data of EU residents. The GDPR applies to non-EU companies:

- Offering goods/services to EU residents,
- Monitoring the behavior of EU residents, or
- Having branches in the EU (if the activities of the branches include data processing).

Myth 2: GDPR only intimidates people, but no actual fines are imposed.

The World Wide Web consists of more than 1.5 billion websites. Many of those websites sell goods and/or services to EU residents and fall within the scope of the GDPR. It is unrealistic to expect that all of them will comply with the conditions of the GDPR.

Certainly, not all e-commerce businesses have the financial and human resources to meet the high standards required by the new EU privacy law. Even though the GDPR has recently come to force, more and more data protection authorities impose hefty fines on privacy violators. For example, in January 2019, the French data protection authority imposed a 50 million euro fine on Google for violating the GDPR. Germany, a neighbor of France, sanctioned a social media company for infringing the GDPR with a much lower fine (20,000 euros). However, even that amount can have severe consequences on startups and small companies.

Myth 3: All I need to do to comply with the GDPR is to publish a privacy policy on my website.

One can find numerous websites offering “GDPR-compliant” templates of privacy policies. Some of them even enable their users to customize their privacy policies per their needs. However, drafting a privacy policy is just a small step towards ensuring GDPR compliance. Other measures may include:

- Installing a cookie pop-up banner
- Conducting data mapping
- Appointing a data protection officer
- Implementing a process for notifying the relevant data protection authorities in case of a data breach
- Concluding data processing agreements with data processors
- Ensuring that data processors in non-EU countries have adequate levels of data protection

Furthermore, to comply with the GDPR, an organization needs to actually enforce its well-written privacy policy and update it regularly in order to reflect the latest changes in the data protection practices of the organization.

Myth 4: If I am fined for violating the GDPR, I will need to pay a few hundred euros.

The sanctions for GDPR violations should not be compared with parking tickets, as the former can have a way more severe impact on society than the latter. For instance, a company that sells personal data of its customers to data brokers could jeopardize the private lives of millions of individuals. Such data brokers may sell the personal data to spammers who will attack the email platforms of the data subjects with unsolicited messages, thus forcing them to waste their valuable time in reading and deleting spam.

Therefore, the EU data protection authorities will likely require severe fines to infringers of the GDPR. The penalties of 50 million euros and 20,000 euros mentioned above clearly indicate that the penalties imposed on non-compliant entities will range between thousands and millions of euros.

Myth 5: If I comply with the GDPR, I will automatically be compliant with all EU privacy laws.

One of the goals of the GDPR was to create a harmonized EU legal framework that will fit directly in all EU countries. Although this goal was achieved to some extent, individual EU countries still have discretion with regard to certain aspects of the law. Consequently, each EU country is authorized to have separate supplemental rules regarding the GDPR. At present, at least 70 such rules exist.

Conclusion

We need to be cautioned about any publications that offer an easy way to comply with the GDPR. Such publications often spread misconceptions and put their readers at risk of getting a substantial fine. Few people will try to become compliant with the U.S. securities legislation and the general rules of the U.S. Financial Industry Regulatory Authority without using the services of securities experts. However, many people still naively believe that they can comply with the GDPR (a law not less complex than the U.S. securities laws) by purchasing a template for a few dollars and posting it on their website. Stay safe, and get the help of the security experts when applying GDPR.