Skip to main content
Velocity Global Raises $400M in Series B Round >

5 Myths Surrounding GDPR Compliance

By April 25, 2018May 1st, 2018No Comments

With the deadline to become GDPR compliant just a month away, many companies’ implementation plans are in full swing. However, not as many as one might think; 60% of companies are unlikely to meet the May 25th deadline. Contrary to what many may think, the path to GDPR compliance is a long one that commonly involves modifying internal policies and processes. Along with this misconception, there are a number of myths that have also contributed to the cloud of confusion surrounding GDPR compliance.


Myth 1: A third-party provider can make you fully compliant

While third-party partners may be compliant (and can make certain some facets of your operation are compliant), they cannot guarantee your organization’s overall compliance. Almost all organizations handle data internally, which means there is an opportunity for mishandling of data through your own processes.

Vetting third-party providers to ensure they will be GDPR compliant is critical as they are implicated in 63% of data breaches. However, taking the proper steps to correct any data flow issues within your internal operations is equally important when considering the long-term data infrastructure and compliance of your organization.

Myth 2: Fines are the only consequence of non-compliance

At this point, almost everyone who has some familiarity with GDPR has seen the fines that may be handed out if an organization is non-compliant: €20 million or 4% of global revenue. These hefty fines will likely only be served to the most serious offenders, with smaller fines being handed out to other companies based on the seriousness of their infractions.

However, loss of revenue is arguably a more significant consequence than the fines handed down by the EU. Whether your organization is a data controller or data processor, there is the risk of other companies refusing to work with non-compliant firms, as this may expose them to non-compliance — and the same consequences of lost revenue.

Myth 3: Becoming compliant is a quick process

GDPR compliance is dependent on many factors, not just your IT department. Almost every department in a company handles data on a daily basis, meaning every department is partially responsible for becoming and remaining compliant.

A data privacy impact assessment is typically needed to determine which internal policies and processes need to change — which can often take several weeks. Depending on the scale of changes that need to happen, implementation could take several months, if not longer. If you haven’t already, creating a sense of urgency and getting started on this process could prove crucial to the long-term compliance of your organization.

Myth 4: Only large multinationals should be concerned

With globalization’s continued rise, GDPR affects more than just companies with a legal footprint in the EU. Whether your organization has one client in Paris or you have a dozen offices across the Continent, you are subject to the regulation as of May 25th, 2018:

“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

It is more likely that organizations with a larger data footprint will be the most commonly reprimanded and subject to scrutiny. However, small firms are by no means exempt from the regulation and the corresponding consequences for non-compliance.

Myth 5: Every company needs an appointed Data Protection Officer (DPO)

DPOs are required if one of the following criteria is met: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37).

If your company does not meet the above criteria, you are exempt from needing to appoint a DPO. However, retaining a DPO to protect your organization against data breaches — as well as assist if a breach occurs — is always advisable.

With the deadline to become GDPR compliant rapidly approaching, many companies across the globe still have questions regarding how they’ll accomplish this. If you have questions about becoming and remaining GDPR compliant, reach out to Velocity Global today to learn how we can help your organization prepare for the widest-reaching data protection regulation to date.