Four Common GDPR Myths

Monday, December 11th, 2017




We’re nearing the deadline for the implementation of General Data Protection Regulation (GDPR) – which is 25 May  2018 –  for those of you who may have forgotten. As you should know by now, every business in the EU must conform to GDPR standards. GDPR has been widely publicised and with so much talk around it from a number of sources, it can be hard to separate fact from fiction.




Here are some of the most common myths:


Myth 1: It’s All About Avoiding Fines

Most companies are complying with GDPR in order to avoid exorbitant fines. Companies can face up to 4% of their revenue (which can be up to €20m). However, these types of fines will be very rare in the UK. It is important to note that companies that fail to notify the Information Commissioner’s Office of security breaches will be liable for a fine, especially relating to an individual’s data. Companies might have to alert their entire customer base in the case of a breach, which could affect their reputation.


Myth 2: It Only Affects Companies In The EU

GDPR doesn’t only affect companies that are located in the EU, but also companies that provide a service to people from the EU, no matter where they are located. This includes the UK, as Brexit won’t affect its compliance. For example, if an EU citizen uses any of your digital platforms (like books a hotel, or makes an e-commerce transaction), your company will need to comply with GDPR.


Myth 3: All Security Incidents Must Be Reported Within 72 Hours

Companies have already accepted this as a general rule, but it isn’t a black and white situation. For instance, only personal data breaches need to be reported, so it won’t be necessary to report security incidents and breaches that do not involve personal data.


Myth 4: You Must Have Consent to Process Data

An important factor in GDPR is that you must have consent to process an individual’s personal data. But there is some nuance to this—according to Yves Schwarzbart, the head of policy and regulatory affairs at the Internet Advertising Bureau—there are other ways to process data. The rules around consent is only necessary when you’re relying on consent to process personal data, and there are other ways to comply with GDPR.

As the introduction of the new European General Data Protection Regulations gets nearer, your company should be prepared. Proceed can assist with implementing an SAP data management strategy that will help your business prepare for GDPR compliance. If you’d like more information on the new data regulations and how a SAP data management strategy can help you become ready for compliance take a look at our GDPR events we are running a series of dates on the run up to 25th May 2018.