1. The GDPR is something entirely unprecedented
The GDPR is the logical successor of the old Data Protection Directive 95/46 which was meant to provide safeguards for the processing of personal data. The logical system of the GDPR is very similar to that of the Directive, including the fact that personal data may only be processed for a well-defined purpose, and on the basis of a legal ground. Some rights for data subjects are new, as well as the sanction regime and the fact that it now applies to all EU countries.
2. GDPR is all about data subject consent
As in the past, consent is only one of six legal grounds for processing personal data. So there are many cases in which you would not use consent as a legal ground for processing personal data (because you did not obtain it or do not want to or can obtain it), but instead process data because it is necessary for the performance of a contract, for complying with a legal obligation or because it may be regarded as a legitimate interest for your organisation.
3. You should immediately ask permission for sending e-mails
Insofar as this is the case, it was already obligatory before the GDPR commenced effect. What is more, the GDPR does have no direct effect on e-mail marketing because that is regulated by the ePrivacy Directive. The ePrivacy Directive is set to be replaced by the ePrivacy Regulation, but that new regulation is still under debate within the EU institutions. The persistence with which suppliers sent out e-mails over the past month asking for a confirmation of your consent suggested otherwise, but it is just that: a myth.
4. All organisations should appoint a data protection officer (DPO)
Some organisations should appoint a DPO: public bodies, organisations performing systemic monitoring of data subjects on a large scale and organisations processing special categories of personal data on a large scale. Other organisations obviously are allowed to appoint one, but not obliged to do so. Also, public bodies and groups of undertakings may share a DPO. A DPO has an independent role, for which certain safeguards are provided in the GDPR.
5. We do not process personal data so the GDPR does not apply to us
Two words: fat chance. Even as a freelancer you will process personal data of your customers and suppliers. Each company processes data of its employees and its customers. Also, take into account that personal data encompass everything that can be potentially be linked to a natural person. An IP address is not personal data, right? Wrong! Nicknames? Personal data. E-mail address aliases (when belonging to an individual)? Personal data. Choose the safe side, assume that data are indeed personal.
6. My organisation is established outside the EU so the GDPR does not apply
In case your organisation offers goods or services to data subjects in the EU or if it monitors data subjects in the EU, it falls under the scope of the GDPR. This means that you have to comply fully with the GDPR, and also that you have to appoint a representative within one of the EU Member States where the goods or services are offered or where the monitoring takes place. The representative can be either a natural person or a legal person.
7. The GDPR is only about data security
Yes, data security is an important prerequisite for complying with the GDPR, but definitely not the only one. The GDPR is about getting insight into your organisation’s handling of personal data, and about being accountable for everything it does with those data. Much like book keeping, the GDPR requires you to have detailed insight in what happens with personal data, with what purpose, in what parts of your organisation, and how this relates to the rights and freedoms of the data subject.