Debunking the Top 5 GDPR Myths and Misconceptions

With GDPR being a more recent law, there are some misconceptions about who it applies to and how it affects companies around the globe.
Troy Fine

by Troy Fine

July 14, 2022
Debunking the Top 5 GDPR Myths and Misconceptions

The General Data Protection Regulation (GDPR) has made itself known and important in the security world since its passing in 2018. With GDPR being a more recent law, there are some misconceptions around who it applies to, what it is, how it affects companies across the globe, and much more.

After numerous customer calls and questions around GDPR, we’ve picked some of the most common GDPR myths to dispel for you.

1. GDPR is a Security Framework

GDPR is technically a privacy regulation and security controls are a component of GDPR. Security requirements are vague within the regulation. The primary focus of GDPR is ensuring that personal data is processed appropriately.

2. GDPR Doesn’t Apply to Companies Outside of the EU

There has been some confusion for organizations on whether or not GDPR applies to them. If the GDPR is an EU privacy regulation, wouldn’t it only apply to companies based in the EU? Not necessarily.

Any organization that processes or holds the personal data of EU residents, or provides goods or services to individuals in the EU are required to comply with GDPR—even if the organization is not physically located in the EU.

3. GDPR Only Protects EU Citizen Data

GDPR protects EU residents, not just citizens. It expands to those that are not EU citizens. For example an US citizen traveling to the EU is protected by the GDPR while in the EU, however, an EU citizen traveling to the US would not be protected by the GDPR if collection of their personal data occurred while they were in the US. Although GDPR only protects EU residents’ data, similar laws have been passed to provide citizens the same data protection.

For example, there was confusion as to whether United Kingdom citizens would maintain their rights after Brexit. When theUnited Kingdom left the European Union, they established the Data Protection Act 2018 to implement GDPR-like data privacy protections.

4. GDPR Doesn’t Apply to Small Businesses

It’s understandable to think that such a strict data protection law may not apply to small businesses. Generally small businesses:

  • Deal with significantly less customer data than large corporations.

  • Are offered exemptions when they have a low number of employees.

  • Feel less at-risk for data breaches.

  • Are less aware of regulatory compliance laws like GDPR.

It doesn’t matter how few employees your business has, GDPR applies to businesses of all sizes. The goal of GDPR is to protect individuals’ rights of their personal data and ensure transparency of the use of their data.

5. GDPR-Like Regulations Will Remain in Europe

GDPR-like data regulations have already extended beyond European borders. You may have heard of the California Consumer Privacy Act referenced as the “GDPR of California.” Although there are some key differences between these laws, their main objective is to encourage transparency over how organizations collect, store, and share personal information.

The Colorado Privacy Act and Virginia’s Consumer Data Protection Act, laws inspired by CCPA, were passed in 2021. A handful of Asian countries have also developed GDPR-like data privacy laws.

Data privacy and security has become increasingly important to citizens and their governments are responding in kind. 83% of Americans alone support the creation of a national standard for data privacy. It’s only a matter of time before even more regulations —statewide and international— get proposed and passed.

If your company falls under any of these criteria, or you want to take a proactive approach with your compliance program, take a look at our GDPR solution. Avoid hefty fines, prove that you are a security-first organization to your customers and partners, and remain GDPR compliant with Drata.

Trusted Newsletter
Resources for you
Momentum Blog Thumb

Reflecting on FY24: Resilient Growth and Leadership in Compliance Automation

Biden's executive order on AI

What the Biden Administration’s New Executive Order on AI Will Mean for Cybersecurity

Launch Alliance Program Allbound Banner

Introducing our New Partner Program: Launch—The Drata Alliance Program

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
Illustraction depicting a GDPR compliance checklist

GDPR Compliance Checklist: How to Become Compliant

BLOG-GDPR -A-Beginners-Guide

GDPR: A Beginner's Guide


Data Protection Impact Assessment for GDPR: How To Do It Right

Debunking the Top 5 GDPR Myths and Misconceptions

Debunking the Top 5 GDPR Myths and Misconceptions