GDPR: Common Myths and Truths Revealed

The General Data Protection Regulation (GDPR) has been a hot topic of conversation since being adopted in April 2016. The new regulation changes how companies need to manage the data of data subjects in the European Union (EU) and will become fully enforceable starting May 25, 2018. With that date quickly approaching, we’d like to clear up some myths that we have been hearing.

Myth #1: Since my enterprise is not located in the EU, we don’t have to comply with GDPR.

Truth: Any enterprise that 1) offers goods or services to individuals in the EU, 2) processes or holds the personal data of EU residents or 3) monitors the behavior of individuals in the EU will be subject to GDPR. This includes visitors to the EU as well. GDPR would apply, for example, if an American citizen visits a U.S.-based website while vacationing in Germany and that website monitors that citizen’s behavior while in Germany.

Myth #2: Once my company becomes GDPR compliant, we will be compliant as long as GDPR is enforced.

Truth: GDPR is not a regulation that you can “set and forget.” It’s an ongoing initiative that will need to be followed by all personnel starting May 25, 2018, ad infinitum. Because of that, companies will need to continually educate personnel on maintaining awareness surrounding the integrity of personal data and GDPR.

Myth #3: Every data breach around personal data will need to be reported.

Truth: Not all breaches must be conveyed to the Information Commissioner’s Office. Those that result in risk to data subjects’ rights and freedoms, for instance, must be reported no later than 72 hours after discovery. If there is no risk, there’s no reason to report, but the matter should be documented.

Myth #4: Full monetary fines (€20 million, or 4% of worldwide annual of the prior financial year’s revenue, whichever is higher) will be assessed if your data is breached and data subjects’ rights and freedoms are exposed.

Truth: Fines will be administered by individual member state supervisory authorities utilizing the following criteria: nature of infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification and certification, as well as a few other mitigating factors. Not all companies will be fined the full amount, as long as they are open, honest and report without delay.  Exercising ongoing compliance efforts and the more mature an organization is with regard to GDPR, the more likely the fines will be lessened.

Myth #5: My data is currently hosted with a cloud provider; it is their responsibility to be GDPR compliant, not mine.

Truth: Even if all your data is hosted in a third-party cloud provider’s environment (processor), it’s the responsibility of both the controllers and processors to be compliant with GDPR. As the data controller or processor, it is still your responsibility to protect and manage the personal data of your data subjects. There is no forgiveness for ignorance.

For more information regarding GDPR, please visit the Schneider Downs website, as well as the ongoing Our Thoughts On articles being published by our Risk Advisory professionals. If you have any questions related to your organization’s compliance with GDPR, please contact us.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Impersonation Attacks Targeting Microsoft Teams
ProLock Ransomware Attacks Overview and Mitigation Strategies
Accounting Relief for Rent Concessions received by International Organizations due to COVID-19
How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
Introducing the Schneider Downs Cybersecurity Newsletter
Ohio Unemployment Fraud Reporting Site under Attack

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102