GDPR- Unlearn and re-learn: Busting the GDPR Myths

GDPR- Unlearn and re-learn: Busting the GDPR Myths

If a sapling was planted every time there was a misconception about GDPR, we'd have probably defeated global warming by now. Any new revolution, be it in technology, philosophy or any other dimension, always creates chaos and confusion during its inception, bringing along with it, a plethora of misconceptions as well. However, it is time we got it all cleared from our heads. 

You might have been a victim of this contagion as well, or have you not? Let us unlearn the (un)popular misconceptions and try to bring in the clarity of crystals to our GDPR understanding.

Consent is an alias of GDPR

The worst of dreams by the GDPR experts will probably involve them yelling 'Consent alone is not GDPR!!', into the psychic space of their co-workers. Because this is, by far, the biggest misunderstanding. GDPR does put high emphasis on consent, but it is not the whole picture. 

There are six lawful bases and they're all equally valid. Say you are a firm based out of Amsterdam and you are employing locals. You don't need to get their consent for storing their information on your register, because the law mandates it. It will fall under the 'legal obligation' umbrella. If a person gets interested about your product and asks for a quote, you don't have to bother him with consent. Because you can process his contact information based on 'Contract'.

Hence, we must keep an open eye and consider all the six lawful bases before applying them to our data processing activities.

Consent is just a check box

Most of us are thinking that the holy check in 'I agree to the Terms & Conditions and Privacy Policy' is the consent we need. Well, no! In fact, that is the first example of what is not a consent, in the ICO website.

There are specific rules to be kept in mind when consent is taken. We must first state all ways in which we shall process the data we are collecting. And furthermore, we must not make it a precondition of a service, which is exactly what we do with the 'I agree to the Terms & Conditions and Privacy Policy' check box. Consent must be given freely with no pre-checked boxes. And even if the boxes are not checked by the subject, the service must not be denied. Hence, before taking the consent route, the whole processing tree must be analysed, and the decision on whether or not to take this route should be made.

GDPR is the Villain


When GDPR first came into picture, there was a massive wave of negativity that accompanied it. Social media was flooded with posts talking about how GDPR will cause a huge expense hole in organisations’ budget and why it will create so many problems that didn’t exist in the first place. Many organisations, by default, assumed that they shall end up non-compliant and some of them even expressed their idea of conjuring up funds for a possible fine due to non-compliance. One could almost feel the need to hit the psychological reset button.


However, we must understand in our bones that GDPR is a set of laws that just demand  Good Business Practice; GDPR must be welcomed with positivity because not only does it provide a company with a better legal and policy framework, but it brings acompetitive advantage as well.


GDPR, in many ways, will change the way businesses are conducted, but one of the main shall be the cognitive advantage that a company shall possess in the minds of its clients, when it becomes GDPR compliant. A GDPR compliant company shall do better positioning in their customer’s head when they can flaunt their compliance tag.


My business is small, so I'm kind of exempt.


Only in specific cases like the one for appointing a DPO, does the GDPR talk about company sizes. GDPR has an attitude and it doesn't care about your firm's size. If you happen to, in anyway, cross any data path of any EU resident, you are under the GDPR radar.

Forget small business! Even if you're a solo-pruner who runs a fashion blog, with an emailing list under your sleeve, you must be GDPR compliant.


I don't collect data from users, so I'm cool.


No, you're not. GDPR originates from 'what data you hold', which means that not only a massive introspection into
your data inventory is needed, but also an analysis of 'all' data that you have on subjects is required. Even if you don't collect data through web forms or portals, you still need to worry about the data pertaining to EU subjects. 

You might scrap the publicly available information on individuals and try to convert them into leads. You might even have purchased your competitor's leads (Highly not recommended, though. Just saying) or it could be a person on social media who has liked your page. In all these cases, though you haven't obtained data from the user directly, you still have to respect the data you have on him/her and process it under the GDPR.


There is only one type of consent


Firstly, there's private data and sensitive data. The former refers to data like the IP address, pin code etc., while the latter covers aspects like religion, sexual orientation etc. Naturally, the consent mandated for these types vary.

There are two types of consent : Explicit & Implied Consent


Implied consent is when the subject, by providing you a particular data, is accepting it to be used in a certain way. In effect, you don't have to shout out loud by asking him to check a box, but you can just 'imply' consent by stating the way the data is going to be used. But it does have to be unambiguous, which means there should not be more than one interpretation possible for that particular way in which you plan to use the data. Explicit consent is where the subject literally says 'I agree' to your consent statement, which must clearly state what data you are collecting, how you are going to use it, what it means to your subject and how this data will be transferred and the related risks of the transfer.Yeah, that's a lot. But this consent is required only when sensitive data is collected. 


I need to be a data democracy: All rights to all


The data subject rights caught so much attention that GDPR pursuers became too obsessed with it. For example, right to be forgotten was seen as a white elephant in the room and it perhaps got too much attention. Not all rights need to be given all the time. GDPR gives us six lawful bases, which is nothing but the underlying reason behind processing of data. And as your reason varies with the kind of data and processing method, the data rights you need to offer shall vary as well. 


Lawful Basis(row)/Rights applicable (column)

Right to be informed

Right of access

Right to rectification

Right to erasure

Right to restrict processing

Right to data portability

Right to object

Rights related to automated decision making

Consent

 Y

 Y


 Y

 Y

Y

 

Contract

 Y

 Y

 Y



 Y


 Y

Legal Obligation

 Y

 Y

 Y

 Y




 Y

Vital Interests

 Y

 Y







Public Tasks

 Y

 Y

 Y




 Y


Legitimate interests

 Y

 Y

 Y

 Y

 Y


 Y

 Y


Consider the above depiction, which correlates between rights and the lawful basis. A data field processed on a basis of contract, cannot be asked to be erased as such. Similarly, a data processed for vital interests cannot be objected. So, being aware of why you process the data that you do, and categorizing them based on applicable rights and lawful basis is an extremely crucial function.


I can use 'Legitimate Interest' for marketing uses relating to personal data, without consent.


The best one is saved for the last, because this is something that can really get you into trouble. Legitimate interest is not the silver bullet you can use when you have run out of options. Usage of legitimate interest has to be weighed against the privacy of the user before it can be applied to a marketing related activity(Any activity, for that matter! ). Even though marketing is an example of legitimate interest given by the ICO itself, it does not rule out the fact that the user must agree to be communicated for marketing. 


A clear 'Opt-in' is always preferred, which is not treated as consent, and it is, in some form, necessary to proceed with marketing communications.

 



      • Recent Topics

      • Limited review (/questions) for Bookings 2.0

        Hi all, I'm writing this review of Bookings 2.0 for two reasons: 1) it may be of interest to others, and 2) I'd like to be corrected if I'm wrong on any points. It's a very limited review, i.e. the things that have stood out as relevant, and particularly

      • Zoho Bookings - Reserve with Google

        Does Zoho Bookings plan to to integrate with Reserve with Google?

      • Tip #3: How to change your booking page language

        Displaying your booking page in your target audience's language can greatly increase customer satisfaction. By speaking their language, you will help customers feel more comfortable scheduling with you and create a stronger connection with them. Let's

      • Bigin Android app update: Alerts while creating tasks outside of working days, conflicting events and calls.

        Hello everyone! In the most recent version of the Bigin Android app, we have brought in support to display an alert if task is being scheduled outside of the working days. Also, when scheduling an event or call in the Activities module, a conflict alert

      • Bigin update: Link email messages to pipeline records.

        Hello everyone! In the latest version of the Bigin iOS(v1.11.9) and macOS(1.8.9) app, we have brought in support for an option to link email to pipeline records. This helps you to view emails specific to a deal, especially when a contact is associated

      • Bigin Android app update: Custom buttons and widgets

        Hello everyone! We are excited to introduce custom buttons and widgets on the Bigin Android app. Widgets: A widget is a customizable UI component in Bigin that improves efficiency and user experience. It lets businesses embed components, streamline interactions,

      • Biometric Access Support on Zoho Vault Desktop App

        Is there any plans to add biometric authentication (fingerprint, face recognition) for Vault desktop apps (Windows/macOS) to enhance security and ease of access. I would love to hear other members view on this

      • Zoho Sheet for Desktop

        Does Zoho plans to develop a Desktop version of Sheet that installs on the computer like was done with Writer?

      • Zoho Sheet - Desktop App or Offline

        Since Zoho Docs is now available as a desktop app and offline, when is a realistic ETA for Sheet to have the same functionality?I am surprised this was not laucned at the same time as Docs.

      • Collective-booking event not added to all staff calendars

        We assign two staff to certain events. When the client books this event, it adds it to one staff calendar (the 'organiser') but not the other. How can I ensure all staff assigned to a collective booking get the event in their calendar? (A side note: it

      • Project Management Bulletin: October, 2025

        Every need leads to innovation. Project Management tools were developed out of sheer necessity to drive large projects. With wide usage, the specifications grew precise, and so did the refinement. Over years we’ve crafted one of the best project management

      • Zoho Sheets saying locked when not locked

        Zoho Sheets won't let me add more rows to sheet because it's saying the sheet is locked, but the sheet is not locked. I tried using a different browser but I still have the same issue.

      • Identifying and Merging Accounts with Similar (Non-Exact) Names

        Hello everyone, I’m aware of the built-in deduplication feature in Zoho CRM that allows merging records with exactly matching values for selected fields. However, I’m running into a situation where our migrated data contains multiple variations of the

      • Option for super admin to recover the deleted chats in Zoho Cliq

        Currently, in Zoho Cliq, if a user accidentally deletes their chats, there is no option for the Super Admin to recover or view those deleted messages. I believe it would be helpful if Super Admins had a recovery option, perhaps within a certain time frame,

      • Zoho CRM iOS app updates: the Homepage, Zoho Survey integration, and support for multiple file uploads in subform

        Hello everyone! The Zoho CRM mobile app continues to evolve to bring you a smoother and more powerful CRM-on-the-go experience. We're excited to share some important updates now available in the iOS app. Here's what's new: Homepage support Zoho Survey

      • I am trying to integrate my module in sandbox environment to add data via API

        I went through the documents and tried to setup the API for adding the module via the api but the problem is the token setup is done on "https://accounts.zoho.in/oauth/v2/token" domain and the bulk write is done on "https://content.zohoapis.com/crm/v8/upload"

      • Setting up primary mobile number.

        Hi Sir Earlier I joined IIFL team and got an organizational email of zoho services. Later i quit and now my account is deactivated with IIFL but i am unable to link my mobile number to my own email id with zoho.

      • Zoho sheet for desktop

        Hi is zoho sheets available for desktop version for windows

      • Tables for Europe Datacenter customers?

        It's been over a year now for the launch of Zoho Tables - and still not available für EU DC customers. When will it be available?

      • Guided Conversations - Ticket Creation

        Hi there, Using Guided Conversations to Take Customer Data and apply it into a Support Ticket for internal use, Is there a way to take multiple Textual Variables Inputs (A series of questions), and have the answers all appear in the Description of the

      • How to send certain invoices for Approval based on condition?

        To streamline operations, I need the invoices to go for approval when certain conditions are met. For example, if my staff gives a discount of x amount, it must go for approval. If there is no discount, then the invoice will be approved automatically.

      • Unable to continue payment

        Hi, I want to make a payment for my email subscription, but I cannot proceed with the payment because my NITKU is invalid. In Indonesia, the NITKU consists of 22 digits, but Zoho only provides 20 digits, causing my NITKU to be invalid. Please help me

      • Is there a way to show contact emails in the Account?

        I know I can see the emails I have sent and received on a Contact detail view, but I want to be able to see all the emails that have been sent and received between all an Accounts Contacts on the Account Detail view. That way when I see the Account detail

      • Massive spam pretending to come from our address – is this a Zoho security issue?

        Hi, We’ve been receiving more and more suspicious emails lately — many of them clearly look like scams. But yesterday, we got an email that appeared to be sent from our own address, which was very concerning. We're starting to wonder if this might be

      • Cant recieve mails

        I’m having an issue with my external IMAP account not fetching any emails into Zoho Mail, even though the connection test says “Success”. I can send, if someone sends an email to me. my original directory (home.pl host) recieves it in their portal but

      • Zoho Sheet Autofit Data

        While using Autofit Data function in Zoho Sheets with Devnagri Maratji or Hindi Fonts, a word or a number, it keeps couple of characters outside the right side border.

      • Enhancements to finance suite integrations

        Update on the migration (October 28, 2025): Starting this week (October 29 tentatively), we’ll begin migrating Zoho CRM users to Zoho Books as integration users. This means actions will now run under each user’s own Zoho Books access, instead of the admin’s.

      • Edit 'my' Notes only

        The permissions around Notes should be more granular, and allow to user to be able to edit the notes he created only. The edit Notes permission is useful as it allows the user to correct any mistakes or add information as needed. However, with this same

      • How do I filter contacts by account parameters?

        Need to filter a contact view according to account parameter, eg account type. Without this filter users are overwhelmed with irrelevant contacts. Workaround is to create a custom 'Contact Type' field but this unbearable duplicity as the information already

      • Job Alerts for Candidates

        hi All, I have 2 questions relating to sharing job details with candidates. 1. is there a way to notify candidates that meet certain criteria of current jobs available? eg. I run a candidate search, and identify 50 candidates that might be suitable. Can

      • Add multiple users to a task

        When I´m assigning a task it is almost always related to more than one person. Practical situation: When a client request some improvement the related department opens the task with the situation and people related to it as the client itself, the salesman

      • Enhancing Task Accuracy: Automatically notify the owners upon Task duplication.

        Hello Everyone, A Custom function is a user-written set of code to achieve a specific requirement. Set the required conditions needed as when to trigger using the Workflow rules (be it Tasks / Project) and associate the custom function to it. The requirement

      • Show/ hide specific field based on user

        Can someone please help me with a client script to achieve the following? I've already tried a couple of different scripts I've found on here (updating to match my details etc...) but none of them seem to work. No errors flagged in the codes, it just

      • Where are Kanban swimlanes

        So i've been playing with Zoho Projects Kanban view a bit more. It appears that task lists are being used as the Kanban columns, which makes sense from the implementation point of view but not the logical one.  Kanban columns are statuses that a task can flow through, while a task list has been a logical way to organize related tasks and relate them to a mislestone. In other words a task in a particular task can go through several stages while remaining in the same task list. After doing some research

      • Tip 19: How to display images in Pages using ZML snippets

        Hi folks, We're back with another tip on how to use Zoho Markup Language (ZML) to create interactive pages in Zoho Creator. You can use ZML snippets to add various kinds of components to your pages and structure them in meaningful ways. That's not all, though—using ZML you can ensure your application is automatically compatible with all kinds of devices without any inconsistencies. We often get questions from users about how to invoke Deluge scripts within ZML code. Here's a simple use case for adding

      • Can zoho swign format block text spacing automatically when prefilled from zoho crm?

        I'm sending zoho sign template from zoho crm, so that zoho crm pre-populates most fields. I have existing pdf documents that i am having signed. I have no ability to change the pdf documents, they are standardized government forms. The problem I am facing

      • Zoho Inventory / Finance Suite - Add feature to prevent duplicate values in Item Unit field

        I've noticed that a client has 2 values the same in the Unit field on edit/create Items. This surprised me as why would you have 2 units with the same name. Please consider adding a feature which prevents this as it seems to serve no purpose.

      • Reference lookup field values in Client script

        hello all, I'm using a "ZDK.Apps.CRM.Products.searchByCriteria" function call, which is returning the matching records correctly; however, one of the fields is a lookup field which I need the associated data. I believe there is a way to get this data

      • In App Auto Refresh/Update Features

        Hi,    I am trying to use Zoho Creator for Restaurant management. While using the android apps, I reliased the apps would not auto refresh if there is new entries i.e new kitchen order ticket (KOT) from other users.   The apps does received notification but would not auto refresh, users required to refresh the apps manually in order to see the new KOT in the apps.    I am wondering why this features is not implemented? Or is this feature being considered to be implemented in the future? With the

      • Every time an event is updated, all participants receive an update email. How can I deactivate this?

        Every time an event is updated in Zoho CRM (e.g. change description, link to Lead) every participant of this meeting gets an update email. Another customer noticed this problem years ago in the Japanese community: https://help.zoho.com/portal/ja/community/topic/any-time-an-event-is-updated-on-zohocrm-calendar-it-sends-multiple-invites-to-the-participants-how-do-i-stop-that-from-happening

      • Next Page