Five myths about GDPR

There’s much talk and debate around the implications of the General Data Protection Regulation (GDPR). The regulation is essentially designed to harmonise data privacy laws, protect and empower all EU citizens’ (and residents’) data privacy, and reshape the way organisations across the region approach data privacy. Many organisations are looking to become GDPR compliant sooner than later by the deadline of May 25, 2018.

This blog post will discuss and dispel five common misconceptions around GDPR to help you accelerate your GDPR compliance journey.

1. GDPR only affects businesses in the EU

GDPR is applicable to any organization that processes personal data of individuals living in the EU, regardless of whether the particular organization is established in the EU or the actual personal data processing occurs within the EU. Hence, the regulation casts a wider net to include organizations that business concerns in the EU and it doesn’t matter if the particular organization directly offers services to individuals or acts on behalf of another organization.

For example, a public cloud storage service is required to be compliant with GDPR. Otherwise its users cannot leverage this storage service to store any kind of personal data collected from the EU.

2. GDPR restricts freedom in e-commerce

GDPR may appear as an attempt to restrict freedom of businesses related to personal data processing and progressive profiling of individual behaviours, but in reality this is not the case. Under current privacy laws, organizations have to evaluate the risk of facing legal action due to the ambiguous nature of current laws and their inadequacy to support the latest technology tends. In this context, GDPR primarily provides ‘certainty’ for business organizations to carry out personal data processing in a lawful manner.

With GDPR, when planning new business offerings, an organization can properly evaluate compliance with privacy laws to mitigate legal risks. Moreover, GDPR recommends organizations to conduct data protection impact assessments (DPIA) and seek advice from authorities to ensure they follow compliance guidelines.

3.GDPR is limited to personal data

Even though GDPR uses the term ‘personal data’ in several places, the more accurate and legally correct term is ‘personally identifiable information’ or PII.

PII refers to any information that can be used to relate to an identified or identifiable person, be it online identifiers (such as usernames, email addresses, IRC usernames, cookies, IP addresses), Radio Frequency Identification (RFID) tags, devices, an application or biometric elements (such as facial recognition, fingerprint or something similar). This definition of personal data greatly broadens the traditional definition of personal data.

4. You always have to obtain user consent

User content is the most common methodology that enables businesses to process personal data, particularly for e-commerce businesses. GDPR, however, provides more methodologies can be used to legitimize personal data processing. An organization is expected to evaluate all legitimized methodologies of processing and select the most suitable methodology in accordance with the nature of the business and legal considerations. These are the 6 legitimized data processing methodologies defines in GDPR:

For example, an employer may need to retain details of past employees for a certain period and the most suitable processing means in this context is a contract with an individual (rather than consent). In another example, the monetary policy of a country may need to maintain records of individuals with financial institutions. In such cases, complying with a legal obligation is the more suitable option.

5. An organization can buy GDPR compliance from a vendor as a tool or solution

It’s misleading to think that an organization can achieve GDPR compliance by purchasing a tool or a system from a vendor – as each organization has to carry out its own measures to be fully compliant. These range from staff training to revising privacy and network policies among others.

I hope that the above information has helped you to address doubts and give organizations a clearer guideline for becoming GDPR compliant in the coming months. This regulation shouldn’t be viewed as a deterrent, but rather a stepping stone to realizing the potential opportunity for a new level of business growth through digital transformation. Early adoption and use of the right technology will help you get there, fast.

At WSO2, we advocate digital transformation by providing the required technology enablers. We’ve developed a simple 7-step approach to becoming GDPR compliant and expanding business opportunities in the process.

Sagara Gunathunge , Director, WSO2


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.