There are many myths and false claims surrounding the GDPR. Many come to life because the legal text is complex and can be difficult to fully understand by anyone looking for human rather than legal-speak. The problem is that it’s business owners, marketers and sales, not privacy lawyers, who take on the lion’s share of GDPR implementation and need clear information.
We’ve picked three GDPR myths that we come across on a day to day basis and bust them for you in plain English.
1. The GDPR does not apply to SMEs and businesses dealing B2B rather than B2C
The fact is that the GDPR applies to all businesses based in the EU and any businesses outside of the EU who deal with EU citizens’ data. This means from Irish startups to multinationals the GDPR has to be adhered to. Even Irish businesses who exclusively do business outside of the EU have to adhere as they are based in the EU. This particular myth has started as some EU countries are trying to get exceptions, however, the message from Brussels has been clear: there will be no change in the territorial scope of the legislation.
The second part of the myth deals with business to business vs business to consumer dealings. The myth here is that the GDPR doesn’t apply to business contacts as these are not personal. So for example email@example.com would be considered personal data, however firstname.lastname@example.org would not be. The GDPR speaks to the material scope of the legislation and says that personal data is considered as any information relating to an identified or identifiable natural person. There is only one person associated with my business email address email@example.com. Therefore it’s information that identifies a natural person. However, a group email address such as an info@ address, does not identify a person. If your business works on a B2B basis with individuals and you hold their data, then be sure you adhere to the GDPR.
2. The GDPR is solved by adding a consent to web forms
Many believe that the GDPR boils down to one thing: consent. That once you have consent from your leads and customers, you are fully covered.
￼￼Consent is only one of six legitimate bases to process data. You need to ensure that you choose the right specific legal ground for every type of processing:
2. Contractual necessity
3. Legal obligation
4. Vital interest
5. Public interest
6. Legitimate interest
Consent cannot solve for everything and it can be withdrawn at any time. So often, you are better off choosing a different legal ground if it’s suitable. If consent is the right way to go, you have to be sure that it’s clear, specific and explicit. This means a one size fits all checkbox will not work. Your data subject (i.e. your customer or prospect) has to fully understand what they are consenting to and what this means to them. Consent also doesn’t last forever, you need to have a logical expiration date added that a data subject can observe.
On top of that, you might have obtained consent for processing of personal data, you’ll still require separate opt-in before you can send marketing emails. The requirement for marketing email opt-in, as well as requirements for phone and postal marketing, aren’t laid out in the GDPR but in another set of rules, the PECR.
This is probably the piece that businesses struggle the most with. At the same time, it holds the largest opportunity to continue to communicate with your audience.
3. The GDPR only applies to customer / prospect data
The GDPR doesn’t mention customers or prospects. It speaks about data subjects. These are explained as a natural person whose personal data is processed by a controller (that’s the business) or processor (that includes any tools like email marketing providers or collaborators such as agencies or accountants the business might be working with).
If the GDPR applies to any natural person whose personal data is held, then it includes much more than customer or prospect data. It encompasses:
- How you process, store and maintain applicants data
- How you process, store and maintain employee data
- How you manage billing, procurement and supplier data
- How you research, contact and store data belonging to influencers in your industry
- How your product (especially if it’s software) handles data that you process on behalf of your customers
- How you handle any other personal data you business might hold
For Irish businesses this means reviewing all personal data that the business holds and examining exactly why it has been held, what legal basis there is to holding it, whether it has to be removed and how it is secured amongst other headlines.
Training is vital
We’ve busted just three myths today. There are many more. For Irish businesses it now becomes vital to prepare themselves for GDPR and ensure that they are on a road to compliance. The first step to take is to fully understand the legislation and how it applies. MII and BusinessBrew have joined forces to bring you an online GDPR course for marketing that will allow marketers to
- Gain an understanding of why the legislation is needed and where it stems from
- Develop an in-depth understanding of how the GDPR will apply to marketing
- Confidently implement the GDPR and run compliant marketing campaigns
- Advance their ability to identify current non-compliant processes and avoid
Register your interest today.
About Nikita Smits-Jørgensen
Nikita Smits-Jørgensen is co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR / PECR) she aims to work with marketers in plain English to get GDPR-ready.
Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketing powerhouse HubSpot where they assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.
BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.