Scroll buttonchevron-iconcultureopinionSearchwork


March 14 2017

In our series on EU General Data Protection Regulation (GDPR) compliance and consent, so far we’ve provided a broad overview of what to expect on 25 May 2018, a GDPR readiness checklist on what your company can do to prepare and thoughts on what it means for digital  marketers. That leaves weeding out the misconceptions and scare-mongering from the truth.
GDPR Checklist

“EU GDRP  compliance is optional.”
In the high-octane world of European Union law-making, EU GDPR is one of the big swingers. It’s not a directive, it’s a binding regulation.
“It’s a B2C thing…”
Not so fast. EU GDPR makes no distinction between B2C and B2B. In fact, B2B faces some serious challenges, given that tracking IP addresses, targeting social media based on profiling, and collecting email marketing data will require explicit consent, or in some cases be banned.
“It’s a European thing…”
Brexit or not, EU or not, GDPR applies to any organisation within the EU, or any worldwide organisation that processes EU citizens' data. We’re used to alcohol-promoting sites requiring users to confirm their age. Could we be seeing sites sending EU visitors to a separate landing page?

“I’m going to be swamped with Subject Access requests about the data we’re holding”
Companies are obliged to provide a response to request for free – but the first time only. And if those requests are seen as malicious, the organisation has the right to refuse.
“GDPR  only applies to new data”
The regulation will apply to all data, new and existing, so you can’t use a legacy database of subscribers until you re-permission. Time to roll out that Data Protection Impact Assessment.

“Personal data means a person”
Personal data can cover any information that identifies a ‘data subject’, including location, demographic and so on. In short, an email address represents personal data.

“Signing up for a free trial or newsletter is the same as giving consent”
Consent must be ‘unambiguous’ and involve a ‘clear affirmative action’. This is perhaps the defining characteristic of GDPR as it affects marketers.

“Data breaches must be reported to the Regulator within 72 hours!”
This is one of the headline-grabbing features used to rouse organisations into action. It is true, but not always. Where there is no risk to data subjects’ individual rights and freedoms, an organisation suffering a data breach has more leeway to react. If you’re handling sensitive data, though, you need to respond within the limit.

“Organisations must appoint a Data Protection Officer.”
Your two-man marketing start-up in the garden shed isn’t necessarily going to have to make room for a new hire on £150k/year. You will not need to appoint a DPO if your core activities do not involve systematic monitoring of individuals on a large scale, or if you are based outside the EU and not offering goods/services to, or monitoring behaviour of, EU subjects.
“The Data Controller is responsible for breaches”
True, but only half. It is the responsibility of the Data Controller to assure themselves of the DataProcessor’s ability to provide sufficient guarantees to meet regulation requirements. Ultimately, both can be held liable.  

“Help! One breach and my organisation faces a 20 million-euro fine!”
Not unless you’re running a major organisation with an annual turnover in the hundreds of millions. The maximum fine is up to 4% of annual turnover, and even then the fines will only kick in once you’ve failed to respond to an order to comply.
To see how your organisation can prepare for EU GDPR, 
GDPR Checklist.png