Yeah, that’s not it.

There’s this thing known as consent and purpose. For a GDPR violation, you need to lack either.

When your job has a noticeboard of names, emails and birthdays, they probably got your consent to post it up there. They didn’t get consent to post it onto Facebook.

Yeah, sharing a photo can be a GDPR violation. Because you need to prevent unneccessary processing of data. Like what Facebook does. That’s why most places require you to sign a waiver to allow photos and similar stuff being posted online.

It can be a lot of work. But so is writing a contract. You can’t just do some stuff willy-nilly, and for a good reason.

That being said, the GDPR is mostly unenforced. What it means in practice is “don’t ask, don’t tell”. Meaning, if you keept the info you do have under wraps, you should be fine. Just don’t go whoring your customers’/employees’ info out to your 18 356 “data partners”. Bonus points for having an “Accept All” and “More Options” button, but no “Reject All”.

1st prize for those whose “Reject All” doesn’t encompass “legitimate interest”.