Don’t Get Tripped up by These 6 GDPR Myths
We are a terrifying few months away from GDPR’s implementation day and the internet is filled with bad advice.
The amount of blog posts and Quora answers I’ve seen littered with green lights, that should be RED—is astounding.
And as we at Convert, have spent more and more time learning, and reading, and tearing our hair out over this new, big, important, piece of legislation—the more my brain has started flashing alarm bells.
“This industry standard behavior is now bad,” it says. “YOU HAVE TO WARN THEM.”
These are the 6 big lies folks believe about GDPR that folks get wrong, and that we all need to get right by May 25th.
Myth #1: This only affects the EU.
One of the most ambitious things about GDPR is how it expands the legislative scope of data privacy policies. Now, there’s one overarching piece of legislation setting the rules across the EU.
But beyond that, GDPR matters to anyone deals with the data of EU citizens.
Even if your company is based elsewhere—if you have web visitors that are EU citizens, and you track them with cookies—you’re expected to apply with GDPR. If you collect the emails of European data subjects, if you store their IP address, if you interact with their data at all—you’re bound to the same new rules as anyone with an EU-based server.
And honestly, even if you’re 100% sure you don’t deal with EU data—complying with GDPR is a good step in the right direction. Privacy laws everywhere are shifting. Canada is working on new legislation with Privacy Act. The US Congress added Privacy Shield legislation.
Data is, more and more, a valuable form of currency. Which makes data legislation, more important than ever.
Myth #2: I can justify my cookies/cold emails/etc. because of “legitimate interest.”
The legitimate interest condition is….complicated.
While it may (momentarily) leave you a little bit of breathing room for some types of cold emails—it’s not as useful as marketers might hope.
To back up a bit—GDPR outlines 6 different legal conditions for data processing. The two relevant ones for marketers seem to be: data-subject consent, and “legitimate interests.”
Soliciting consent requires you meet all sorts of conditions—it has to be active, unambiguous, affirmative, etc.
Comparatively, “legitimate interests” seems like a walk in the park. But the intention of this clause wasn’t “I legitimately thought they were interested…so, I can send them whatever I want right?”
Here’s what the ICO (UK’s data regulatory body) recommends you confirm before you decide to process data….
- We have checked that legitimate interests is the most appropriate basis.
- We understand our responsibility to protect the individual’s interests.
- We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
- We have identified the relevant legitimate interests.
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
- We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
- If we process children’s data, we take extra care to make sure we protect their interests.
- We have considered safeguards to reduce the impact where possible.
- We have considered whether we can offer an opt out.
- If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
- We keep our LIA under review and repeat it if circumstances change.
- We include information about our legitimate interests in our privacy notice.
So if you want to rely on legitimate interests—you have to confirm these things. And you have to document your process. And you have to decide you’re processing with the legitimate interests condition ahead of time. It can’t just be your fall back because you asked for consent incorrectly.
Myth #3: I need to appoint a Data Protection Officer.
GDPR advices some companies to appoint a Data Protection Officer, to oversee the transition, and their data security moving forward.
And the powers that be have pretty clear that public authorities should appoint one. And companies whose primary function includes processing data, or systematically monitoring it. And if you regularly process special categories of data—like health data, or religious and political affiliations—you probably should have a DPO on your team.
But these conditions aside, honestly, there’s no strict rule as to when your company is big enough to mandate hiring a DPO. Or when he data you manage is complex enough for you to need one. 250 employees is one, oft-tossed-around rule of thumb.
In general, it seems SMEs who process your standard types and amounts of data, for marketing purposes, can get by with some solid legal advice, and a thorough dedication to data transparency.
Myth #4: This is an okay way to ask consent.
No! Consent needs to be active. You can’t leave your boxes pre-checked.
No! That’s bundling. You have to ask for consent for separate processes, separately. You can’t just throw “monthly newsletter” subscriptions in with event sign ups.
No! Name your third parties or it doesn’t count!
Nope—persistent cookies need explicit, active consent now. As in, someone has to click a thing or check a box that says “I consent.” They don’t give it just by continuing to browse.
And the nuances go on.
The important thing is: consent rules ain’t what they used to be.
For more on what they are now, we’ve got a more substantive breakdown here.
Myth #5: That’s not personal data.
GDPR has expanded the scope of personal data, from what was previously acknowledged as “Personal Identifying Information.”
We humbly present this helpful table:
Personal Identifiable Data (PII)
The big ones of note here are cookies—which are a little complicated. Exactly what types of cookies will be considered personal data, will be established with the new ePrivacy Regulations.
Right now, there are some exceptions for cookies in the “performance sector.” These are the types that only collect information about website usage, for the benefit of the website operator. They don’t identify visitors—rather, they rely on aggregate data.
You can find a deep dive on how GDPR will regulate cookies here.
Myth #6: As long as I update my processes by May 25th—I’m in the clear.
As a marketer, this is the GDPR condition that makes me want to tear my hair out.
It applies retroactively.
It applies to all your existing data.
Meaning, if you’ve been collecting emails, or running cookies, or messing with any personal data in a way that’s not GDPR compliant—all of that stored data becomes a problem come May 25th.
- Whether your site’s cookies are running on a 3, 6, or 12 month lifespan—it’s a good idea to start those over, and clear any of the personal data they’ve stored.
- Run a re-permissioning campaign, to try and salvage your existing email list.
It’s a headache. And it’s a bummer, to lose some of those contacts you’ve fought hard to win.
But, as they say…
“Sometimes things fall apart so better things can fall together and also data privacy is important so we should all follow the law.”