Europe’s new data protection law, the General Data Protection Regulation (GDPR) is an undeniably complex piece of legislation. Privacy professionals everywhere have a lot to learn and thankfully there have been many excellent articles written on the topic. For the most part, these focus on the changes that the GDPR will bring about and, specifically, the compliance actions that organisations must take. By contrast, less has been said about what the new law will NOT require. This might sound unsurprising but it’s important to remember that, during the course of its adoption, the text of the GDPR changed many times. As a result, some provisions that were originally proposed were dropped from the final law (or otherwise changed beyond recognition), and this inevitably created a certain amount of confusion. Then throw in a sprinkling of occasional misreporting, together with a dash of Chinese whispers, and suddenly knowing what the law does NOT require becomes almost as important as knowing what it does require.