Advertisers who haven’t had at least a moment of anxiety over the European Union’s General Data Protection Regulation (GDPR) either haven’t thought enough about it or are laboring under some misconceptions. When this restrictive order goes into effect on May 25, any organization believing it is unaffected is going to be rudely – and potentially expensively – awakened.
Here are seven commonly-held GDPR myths and the reality checks that debunk them.
Myth1: “Neither my organization nor my customers are in the EU so the GDPR doesn’t affect me”
Reality: Any organization that has even a tangential relationship with European Union consumers, or non-EU consumers physically within the EU’s jurisdiction, is going to be subject to the GDPR.
The GDPR umbrella covers EU citizens, non-citizens who happen to be in the EU, and organizations that use data processors located in the EU. Weeding out customers who don’t fall under any of these headings is difficult, and the potential fines for a single screw-up are substantial.
Myth 2: “The adverse effects of running afoul of the GDPR are primarily financial”
Reality: With fines of up to 20 million euros or 4% of global turnover (whichever is greater), it’s not surprising companies are disproportionately focused on this particular outcome. But organizations also face damage to their reputation, as a result of customer backlash that earns them the title “disrespectful” or puts them in a position to be seen as “playing dirty.”
GDPR transgressions are already being positioned as both breaches of consumers’ human rights, as well as their trust.
Myth 3: “Consumer data can only be used under the GDPR with explicit consent”
Reality: There are six total methods of complying with the GDPR’s “Lawfulness of Processing” article. The sticking point is that five of them are subject to interpretation.
The six ways data may be legitimately processed are if:
● A consumer has actively consented to having his or her data
● A consumer has deliberately offered his or her personal data into a
contract as part of this consent;
● Personal data is gathered or acted on as part of a legal process (such
as criminal records);
● Personal data is used to protect the vital interests of the subject (such
as hospital records);
● Personal data is gathered and/or used in the greater interest of the
public, or as a result of exercising official authority;
● Personal data is gathered and/or used in the legitimate interest of a
controller or a third party, provided those interests are not overridden
by the interests, rights, or freedoms of the data subject. Children’s
data, in particular, may be exempted from this clause.
Organizations are primarily focused on the first and last methods. Explicit consent represents the most difficult path, but it’s also the safest from an advertiser’s perspective. The idea that legitimate interest gives protection is, in itself, a myth.
Myth 4: “As a data controller brand or organization or processor we’re covered under the GDPR’s “legitimate interest” provision”
Reality: The legitimate interest provision seemingly allows brands and organizations flexibility to use personal data when there is no undue impact on the subject or customer, or when there is a benefit to the consumer. But how enthusiastic is your organization about testing this?
By all accounts, the EU’s compliance arm isn’t going to offer any sort of safe harbor for the good intentions of an organization’s claims of legitimate interest. Any organization claiming a legitimate interest exemption will need a clearly articulated rationale for why it falls under this exemption, and even so, merely claiming it is no guarantee the EU will grant it.
Myth 5: “There will be a grace period for compliance”
Reality: No, there won’t. Or, rather, there has been a grace period – it started in April 2016, when the GDPR was adopted, and is ending on May 25. After that date, grace will be replaced by enforcement.
Myth 6: “GDPR governing bodies aren’t really going to impose fines”
Reality: Yeah, they will. EU countries are already giving warnings, corrective orders—and fines. While the number of organizations receiving fines to date has been small, expect an increase after May 25.
Myth 7: “Facebook and Google are compliant so my organization doesn't have to be”
Reality: Yes, if Google and Facebook are your organization’s only media channels, and you’re not accepting data from them or collecting, analyzing, processing or otherwise using consumer data, and you have no intention of expanding your marketing beyond these two outlets, and, and, and… so in reality, no. Sooner or later, your organization will be tempted to store and use customer data, or someone within it will employ programs, in ways that run afoul of the GDPR. At that point, the excuse that Google and Facebook had been your only channels will fall on deaf ears.
Organizations that use personally identifiable consumer data, and which has any tangential – no matter how flimsy – relationship with EU consumers, or any presence – no matter how insignificant – on EU soil will need to be in compliance with the GDPR.
These regulations have been set up in such a way that noncompliance comes with significant financial and brand equity consequences.
Ben Plummer, CMO, Grapeshot