7 Myths About GDPR
One of the main things I dislike about EU legislation – and the new General Data Protection Regulation is no exception – is the way it is written.
Documents are lengthy, and the language is technical, vague and unwieldly.
Even lawyers complain that interpreting it is a herculean task, and this is even when one has the resources to hire teams dedicated to doing this and not much else!
Determining what the regulations ACTUALLY say is left to the general populace, and a consequence is that an entire industry has emerged around the GDPR.
Much has been written on the subject; some of which makes sense.
And the rest? Not so much.
While I’m aware of the irony of contributing yet another article to the Data Protection universe, I wanted to dispel these 7 myths about the GDPR:
My business is small, GDPR doesn’t apply to me
This myth is quite common among small businesses, the misconception being that their company size or number of employees have any kind of bearing on whether this is relevant.
The qualifying criteria have nothing to do with whether you are a solopreneur, or have just one employee. A couple of questions you have to ask yourself are:
- Do you collect or use data that can be used to identify an individual? Bear in mind that this data could relate to an employee, freelancer or contractor, supplier, or client. In case you’re wondering what kind of data could identify an individual, think email addresses, names, dates of birth, and even a computer’s IP address.
- Do you work with data that can be considered sensitive? So, information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. Genetic and biometric data also counts as sensitive (or special category, to use the correct GDPR term).
If the answer to (either or both) of these questions is “Yes”, then the GDPR applies to you. To be fair, there aren’t many businesses it wouldn’t apply to!
The supervisory authority in the UK – the Information Commissioner’s Office – has a simple assessment tool you can use to check if the new law applies to your business.
The authorities will never come after me
I routinely hear people say, “The regulator won’t come after us; we’re too small. They just don’t have the resources to police this; they’ll go after the big boys first.”
By all means take a risk-based decision on whether this is something to comply with in your business. But while the comment about resources may have some truth in it, it’s important to understand that getting on the regulator’s radar isn’t just a function of how big your company is.
If several of your clients complain to the ICO about data misuse or other non-compliance, that will certainly get you noticed, regardless of whether you’re a multinational or a freelancer from a co-working space.
Processing personal data without consent, or not acting on a request relating to the individual rights are examples of scenarios where your customers could complain to the ICO, so it’s important to get familiar with what constitutes personal data, what personal data you hold, why you need to hold it, how you store it, what the individual rights are, and how you would respond to customer requests.
My business is not based in the EU, so it doesn’t concern me
One of the aspects of the GDPR is its extraterritorial reach.
Which means it’s not restricted to businesses which operate within the EU!
As well as all businesses in the EU, it applies to any businesses that serve or monitor customers resident in the EU, regardless of where those businesses are headquartered or located in the world.
So, companies like Facebook, Amazon, Google, Facebook, Salesforce and InfusionSoft are bound by the GDPR and have to comply with it, since thery serve and hold data on EU customers.
Now, how the EU will enforce the GDPR in cases of non-compliance on international companies is a different story; one for another day perhaps…
As long as I present subscribers to my email list with a double opt-in, I’ll be compliant
GDPR has been every marketer’s nightmare.
Their databases have taken months and years to build and are considered the lifeblood of their businesses, as it means they have a list of contacts who are “warm” (i.e. they are familiar with the product or service they provide and have at some point expressed an interest in it), who they can keep informed by way of regular updates, and can sell to when new things are added to the product range.
The issue is that most (if not all) of those contact details cannot be proved to have been sourced in ways that are considered GDPR-compliant, and so businesses are having to seek the consent of whose details they hold.
I’m sure your inbox has been flooded by similar requests; I’ve had emails from companies I haven’t even heard of, asking if I want to continue hearing from them!
The key to this is that customers have to actively opt in. this means they can be no pre-ticked boxes, and the onus cannot be on the customer to opt out.
The problem this present for marketers is that many people are choosing NOT to opt back in to many databases; anecdotal evidence suggests that less than 20% of contacts on their databases are doing so!
The point is that some contacts previously got on databases and distribution lists by means of a double opt-in, which is where you might input your email address to get access to a free gift (such as a checklist, pdf, white paper, etc.) – this is the first opt-in.
The business offering the gift emails you asking you to confirm that you really want the gift – this is the second opt-in.
However with the GDPR, opting in to a distribution list must be explicit and not linked to any other communication or offer, which means the double opt-in as it was previously used in conjunction with free gifts and offers, no longer suffices.
Individuals must clearly understand that they are agreeing to be on your distribution list, and you must be able to evidence that, if it is ever required.
I use other software and systems, but it’s up to THEM to be GDPR compliant
It is, but since they are working on your behalf, you have the overall responsibility to ensure they are compliant before they process any data on your behalf.
I’ll give you an example. Say I use Office 365 software on my laptop, and as part of my client work, I process their data via Outlook, Excel and PowerPoint, which are all Office 365 applications.
The onus is on me to ensure that Microsoft is adhering to the GDPR.
The way to do this is to ask your software supplier what they have done to achieve compliance, or ask them for a Data Processing Addendum to your existing contract (in this scenario, they are acting as a Data Processor on your behalf, and you are the Data Controller. I’ve explained what these terms mean here .
You will find that larger companies like Microsoft have a standard one which they will have sent out to users of their software – or it will be on their website.
If you do not get a satisfactory response from a vendor or supplier, and are not convinced of their approach to GDPR, you may want to consider the merits of continuing to give them your custom, as their non-compliance could compromise your business.
Since my business is based in the UK, Brexit means I don’t have to comply with GDPR
Even though the United Kingdom is due to exit the European Union in 2019, the government has confirmed that the GDPR will still apply.
The ICO is the UK’s supervisory authority, and has been advertising the incoming regulation for the past few months.
So sorry folks, this is one you still need to comply with, regardless of Brexit!
Once I comply by 25 May 2018, my job in terms of data protection is done!
The enforcement deadline is 25 May 2018, but that doesn’t mean your responsibility for data protection ends there. Compliance is something you’ll need continue to execute and monitor, so unfortunately, this isn’t something that’s a one-off.
Your databases, records, processes must be living documents, and training will need to continue to ensure that standards are maintained.
*Please note that this does not constitute advice on the legalities of GDPR or data protection. This blog post is for the purposes of awareness and information only; you remain responsible for getting independent advice and ensuring your business complies with the regulation.