With GDPR rolling up fast this month, PerformanceIN addresses some of the more common misconceptions around the regulatory update with the help of GDPRPLAN.com founder and affiliate marketing specialist, Micky Khanna.
1. Data collected ahead of GDPR will be OK to use after May 25
Myth: Unless the data has already been collected in accordance with the GDPR!
2. Every company will need to opt-in their contactable database
Myth: If you have already obtained specific consent or have another lawful basis for contacting your user database then the ICO states that you do not need to send re-opt in emails. Under the Privacy and Electronic Communications Regulations (PECR) – which will run alongside the GDPR until it is replaced with the new e-privacy directive – it does also state that you must not send marketing emails to individuals without specific consent, but there is a limited exception for previous customers, under a “soft opt-in”*.
3. GDPR will only affect companies operating in the EU
Myth: The GDPR affects any business who collects or processes personal data of ANY EU Citizen, regardless of whether they are based inside or outside the European Union.
4. GDPR compliance will be a safeguard against data breaches
Fact: If strict security measures around the storage, transfer, collection and any additional processing are adhered to, and staff have been trained to understand the security implications of their actions and obligations to comply with company policy in accordance with the Accountability and Governances measures as set out by the ICO (which we at gdprplan.com provide training for), then this demonstrates that organisational measures are being taken in order to comply with the GDPR.
5. GDPR compliance is an issue only for the tech/data teams
Myth: The GDPR should be a business-wide issue that needs everyone to demonstrate respect for personal data, and ultimately it’s the CEO who is accountable if found guilty of non-compliance (loss of existing customers, no new business revenue as prospective customers divert their business requests to competitors). If you’re a publicly listed company then there’s the loss of share price which ultimately lies on the doorstep of the CEO (and therefore the future of their position – and personal reputation).
6. All information classed as ‘personal data’ will need to be treated the same
Myth: Personal data should be classified according to the level of privacy and threat to the rights and freedoms of the individual. For example, you may classify personal data under “public, private, & restricted” and associate the appropriate privileges with the organisation’s hierarchy.
7. With multiple companies working with the same consumer data (ie, networks and publishers), the burden of responsibility will fall with just one member.
Myth: It is the responsibility of the data controller to ensure that they have the appropriate contracts in place with each and every processor who is involved with the processing of personal data and that both the "Controller and Processor guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject".
Failure to do so could result in the supervisory authority enforcing sanctions on each processor within the chain if found guilty of non-compliance (which could include the processor/s being ordered to cease processing and the controller being on the receiving end of a penalty for not taking steps to guarantee the protection of personal data for which they've been entrusted with).
8. Hefty fines are the most concerning threat from GDPR
Myth: The ICO have gone to great lengths to state that they will not be looking to issue hefty fines and will only look to issue fines as a last resort. What is probably more concerning is the reputational damage and knock-on effects from the negative PR and associated damage to your brand if found guilty of non-compliance. As per point 7, the associated effects will also bring into question the leadership and position of those at the top of the organisation.
9. The ICO requires companies to assign a Data Protection Officer
Fact (kind of…): The General Data Protection Regulation states that you need to appoint a Data Protection Officer if:
- You are a public authority (except for courts acting in their judicial capacity)
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
10. Small businesses will be exempt from GDPR rulings
Myth: Where any business falls within the category of Private Sector, Public Sector or NGO/Charities Sector, every business who collects or processes personal data will need to comply with the GDPR – regardless of size.
*This article does not constitute legal advice and you should seek your own legal counsel in relation to your company’s own data protection policy.
PerformanceIN subscribers can also benefit from a bank holiday deal by getting 50% off the cost of Micky Khanna's GDPR Awareness Course if they sign up before Tuesday 8th May (code: performancein).