GDPR Mythbuster Month – Part 1

It’s our favorite spooky time of the year and you know what that means! It’s time to bust some GDPR myths!

You can also follow the series on our Instagram


Myth #1 All personal data breaches will need to be reported to the ICO

It will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms. So, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, therefore you should document it.


Myth #2 If you don’t report in time you’ll definitely get a fine

The ICO says that fines under the GDPR will be proportionate and not issued in the case of every infringement. Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available.Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR. “Tell it all, tell it fast, tell the truth.” – Elizabeth Denham


Myth #3 GDPR only applies to data customers give me


GDPR applies to any personally identifiable information, whether given to you by a customer or individual, or collected without their explicit consent. For example, if you’re collecting data through advertising or website analytics and you’re not anonymising it – perhaps you’re recording the customer’s IP internet address – then you are capturing data covered by GDPR. It’s worth remembering that GDPR applies to any personal information you collect about individuals, whether customers, employees or anyone else.


Myth #4 You must get ‘double opt-in’ from customers for email newsletters


A double opt-in is when you sign up for something and you’re then asked to confirm this subscription. Under GDPR, this is not a requirement. A number of websites and commentators have said that double opt-in is required to satisfy GDPR’s need for proven explicit consent. But this is not the case. So long as you can show that a user had to opt-in when they first submit (or you record) their data, and that the wording of the opt-in is clear and accurate, you should be fine. There of course also benefits to the “double opt-in”. Your list may be shorter, but you can expect better returns from it in the long run.

Myth #5 Everyone needs a Data Protection Officer


The good news for small businesses is that not every business requires a Data Protection Officer. You will only be required to appoint a Data Protection Officer if you are a public authority; you engage in large scale systematic monitoring of customers and individuals; or your organisation processes a large volume of sensitive personal data about individuals or customers. The DPO could be a professional, who is a hired employee, or an outsourced position.



1,411 thoughts on “GDPR Mythbuster Month – Part 1