Are you still confused about GDPR? Are you hearing mixed messages and wondering who to trust. If you are don’t worry, you are far from alone. That’s why, to help you work out the facts from the fiction and ensure your business is heading down the right path, we asked Mr Marketing to bust six common GDPR myths.
As the GDPR deadline looms ever closer and your inbox bulges with requests to opt-in and review privacy policies from almost every business you have ever dealt with, there is still a great deal of uncertainty surrounding the topic. And many GDPR myths are circulating.
There are several reasons why we find ourselves in this position. For a start, there are still parts of the legislation that have yet to be defined meaning there is an element of guesswork going on. Also, some aspects that have been defined are relatively vague or ambiguous, and as a result, they are open to interpretation.
Both of these situations lead to assumptions. And those assumptions can be driven by the, entirely justifiable, motives of the people or organisations making the assumptions. For example, the views of those looking to ensure compliance with no risk will in all likelihood be different to those looking to minimise the legislation’s impact on their business-critical marketing activities.
But this doesn’t help the SMEs looking to find their balance; between complying and operating their business. So to help we spoke to three organisations involved with Kent Vision LIVE to gather their perspectives on six common myths surrounding the implementation of GDPR.
Myth No 1: You will have to scrap all your current customer when GDPR comes into effect.
Julie Alchin, a corporate and commercial associate at Brachers LLP, believes this myth stems from a mistaken assumption: “Where organisations process any personal data (which is defined as information relating to an identifiable natural person), it will need to comply with GDPR. As part of this process, organisations will have to undertake a review of all existing customer data it holds and processes, identify where it comes from and who it is shared with, and identify the basis on which that data is processed.”
Julie went on to add: “The organisation will also need to review and update its privacy notices, and its existing procedures, to ensure that it covers all the rights individuals have and to deal with any data breaches. Where an organisation relies on consent as a basis to process its customers’ personal data, it will need to review how such consent is sought, recorded and managed, and whether or not any changes need to be made to ensure it complies with the higher obligations imposed by GDPR.”
Rich Tribe, co-founder of both Revolution Events (the company behind Kent Vision LIVE) and digital marketing specialists Inbox Insight agreed: “Your company will still be able to communicate with existing customers in the usual way, but you will now need to make sure that the way you manage their data is compliant with GDPR. This change will mostly affect who you can share customer information with and the processes you use to protect personal data against security breaches.
“As with the previous data protection legislation, you will also need to provide a clear and easy-to-use method of ‘opting-out’ when sending any non-essential communications,” explained Rich
Myth No 2:· We won’t be able to rent any marketing data.
This is a subject that has worried many businesses. With his experience through Inbox Insights, we spoke to Rich again: “The variety, volume and depth of marketing data available to rent or buy is likely to reduce dramatically in the wake of GDPR.
“This outcome is mainly because legitimate list brokers will need to seek renewed permission to share data with third parties and for many, this will be very difficult to obtain. For example, would you agree to have your personal data provided to any number of unspecified companies?”
Rich also highlighted a risk to the businesses renting data: “You will need to be very careful about who you buy data from in the future – and should try to obtain evidence that they have the correct permissions for any contacts they are offering to rent or sell to you.
“In the short-term at least, there will be many providers who are not fully compliant with the new legislation, which could have severe implications for their customers,” he concluded.
We also Nina Hunt, head of operations at IT solutions provider Allteks, for her view on this myth. Nina reiterated the need to ensure there was an explicit opt-in from the data subjects: ”Marketing data is still and will be a valid tool for a company. Acquiring such data must follow the new regulations where the recipient has expressly opted in to receive what you will be sending.”
Myth No 3: We will stop getting spam.
If you think spam will be a thing of the past in a GDPR world I’m afraid it isn’t quite that simple as Nina also explained: ”One of the aims of GDPR is to reduce unsolicited spam. There needs to be a clear opt in and opt out process so you can remove your data from the company. Unwanted spam/noise will reduce in part because implied consent is no longer allowed and express consent which must be evidenced is much harder to obtain.
“But a large proportion of spam comes from sources outside the reach of GDPR and those bodies enforcing it and so it will not stop entirely,” she concluded.
Myth No 4: · As we are leaving the EU, we don’t need to worry about complying with GDPR.
Catherine Daw, an employment partner, also at Brachers LLP, told us why this was also a misconception, possibly based on assumptions that any European legislation will cease to apply when we leave the EU: “The reality is that the Government is committed to implementing GDPR through domestic legislation and leaving the EU will not change this. The Data Protection Bill announced in the Queen’s speech on 21 June 2017 is currently going through the Parliamentary process. It is intended that the final version of the regulations will come into force on 25 May 2018 in line with the other requirements of GDPR.”
Myth No 5: I store my data in the cloud, so it is not my responsibility and the onus is on my service providers.
Rich explained why this is not true: ”Your cloud service provider will most likely be one of your data processors, but you will still be the data controller for your customer data. Both parties must adhere to the new GDPR, and the legislation is very clear about the duties of both processors and controllers.”
Nina agreed: ”You still have the responsibility for the content being stored, and that it adheres to the legislation. However, cloud service suppliers must also adhere to the same legislation. Both parties have to be compliant.”
Myth No 6: GDPR is just about B2B data and doesn’t apply to personal consumer data.
We ran this one by Julie from Brachers who stressed GDPR’s emphasis on personally identifiable data: ”With GDPR applying to personal data (information relating to an identifiable person) it will, therefore, apply to personal consumer data but it will also apply to B2B data where it involves processing of personal data.”
Rich expanded on the scope of ‘personal data’: ”The key factor for B2B or B2C data is whether it contains information that relates specifically to an individual — as opposed to just the organisation they work for. So this would include mobile numbers and direct email addresses. However, in a B2B scenario it does not cover general switchboard numbers or generic emails, especially when these are in the public domain, such as being listed on a website.”