Common GDPR misconceptions
Interpreting the GDPR can be difficult, so it comes as no surprise that there are several GDPR myths out there. Let’s set the record straight for those we hear most often:
1. The GDPR applies to EU citizens working outside of the EU
You do not need to apply GDPR practices to EU citizens residing outside of the EU. For example, if you have an EU citizen who is working within the US and is being paid by a US-based payroll provider, the GDPR would not apply because your employee is not based in the EU, even if they are an EU citizen.
2.You can’t transfer personal data outside of the EU
You can transfer personal data outside of the EU as long as it’s transferred to a country that has an adequate data protection decision from the EU Commission, or if you take appropriate safeguards (e.g. Privacy Shield certification). The EU determines what’s “adequate” data protection as well as what counts as a safeguard. Learn more about transferring data outside of the EU.
3. Offenders will automatically get charged the maximum penalties
The GDPR wasn’t designed with the goal to fine employers, but rather to help them create processes that respect individual rights. Data Protection authorities know it will be a journey for employers to come into full compliance. When assessing fines, they will likely consider the compliance measures an employer has already taken or has underway, along with the impact of non-compliance.
4. To track an employee’s data, all HR needs is the employee’s consent.
Not quite. Because employees are typically subordinate to employers, they may fear retribution if they refuse to consent to their employer’s data request. In this case, consent wouldn’t be wholehearted. To cover all bases, HR should instead have legal grounds for requiring the data. For example, an employer is obligated to pay employees, so requesting data to process payment is considered a valid legal ground.

5. GDPR Compliance is difficult and expensive
You don’t need expensive software or services to follow the principles of the GDPR. However, it will take some commitment. As with any project, it requires planning, dedicated resources, communication and ongoing program analysis. As far as software, you’ll want to be sure you have HR technology that eases the burden of compliance in general and is built for serving a global workforce.