Top 5 myths about GDPR

1. GDPR is an entirely new concept, born in May 2018

Truth: Many GDPR regulations had been in force even before May 2018, based on an European Directive, and were therefore included in national legislation.

This was also the case of Romania. Some examples include: the right to be forgotten, the right to be informed about how companies store and process your personal data, the right to oppose to the storing of one’s personal data. GDPR is supposed to level these national regulations and unify them.

2. You can only send newsletters to clients who gave their express consent after May 2018

Truth: according to GDPR, you should have the express consent of the person whose data you store and process. But that consent can be collected even before GDPR officially came into force.

In Romania, for example, you were bound by law to collect this consent even before 2018. But many companies failed to do so because the fines for non-compliance were not so high. However, the ones who did comply are safe and do not need to re-take the written consent of their clients in order to legally send newsletters.

3. My firm is small, so I shouldn’t worry about GDPR

Truth: GDPR applies to all companies, either big or small.

It is true that some data protection rules apply only to big companies (e.g. internal risk assessment for companies with over 200 employees), but fines are not one of them. Some fines are limited depending to company revenue, but the financial setback is still very high.

4. GDPR prevents me from further contacting potential clients

Truth: First of all, GDPR only protects individuals. Any other entities, such as companies, NGOs, partnerships, public authorities are not protected by GDPR.

So if you run a B2B business, you don’t have to worry about your clients. For example, storing names and CNPs of potential clients who are individuals can be illegal if not done properly. But storing names, fiscal codes and even addresses from companies who are potential clients has nothing to do with GDPR

Secondly, GDPR is not meant to harm your business and prevent you from making sales. But it does protect individuals from potentially being harassed with offers from companies whose services they have not interest in.

5. If I get a business card, I cannot contact the person without their express, written consent

Truth: If people act as representatives of their companies and offer a professional business card (not their personal email), it is ok to contact them. Email addresses such as office@companydomain, contact@domain are the safest way to show affiliation with a company. GDPR is meant to protect individuals, not companies. But companies can only communicate through their employees and representatives.

Not to mention that offering a business card implies that the person would not mind communicating with you in the future – for business purposes of course.

However, if the person asks you not to send her commercial offers or other business-related communication, you should respect their decision. This is not only a GDPR concern, but also common sense in business relationships.

Do you want additional information or would like our help with implementing GDPR? Contact us at or use the contact form on our website at

Leave a comment