With only 6 months to go, there still seems to be a lot of scaremongering surrounding the General Data Protection Regulation (GDPR), so here at Space and Time we wanted to dispel some of the myths out there and give you the truth – warts and all.
Myth 1: Brexit means we won’t be affected
For a short while, some marketers thought they’d dodged the GDPR-bullet. “Hurrah”, we’d read in forums, “now I don’t need to worry about GDPR!”. While we are assured that Brexit does indeed mean Brexit, we now know that the UK is not scheduled to exit the EU until March 2019: nearly a year after GDPR comes into force. This means that whatever happens, the UK is required to play by the rules during this brief period at a minimum.
One belief which gained some traction was that organisations would only be bound by GDPR if they formed or continued business relationships with Europe post-Brexit. However on 14th September 2017, the UK government published the Data Protection Bill which will, when introduced to UK law, replace the existing Data Protection Act 1998. The Bill has been drafted to implement and further refine each provision of the GDPR. So while it is true that we won’t be required to adhere to Regulation (EU) 2016/679, domestic legislation will dictate that GDPR practices remain law in the UK.
Myth 2: GDPR doesn’t impact B2B organisations
Much of the discussion around GDPR does focus on the protection of Consumer rights, however the Regulation applies to all organisations processing personal data – any personal data. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)” – therefore, any business database of names, job titles and corporate email addresses you hold will also be subject to the Regulation, along with staff and supplier data.
Additionally, one of the more significant changes under GDPR is the update to the definition of personal information, which can now include online identifiers such as cookies, IP addresses and mobile device IDs, all of which many B2B organisations use in their lead gen campaigns. If in doubt, always err on the side of caution.
Myth 3: GDPR is mostly about imposing huge fines
The most frightening headlines on GDPR nearly always reference the maximum fines imposed by the Regulation – up to £17.9m or 4% of an organisation’s global annual turnover. It’s understandable that marketers are concerned by this. But it’s important to remember why GDPR exists in the first place: to protect the data rights and privacy of citizens. The Regulation provides an excellent opportunity for us all to improve customer trust by putting data under extra scrutiny and improving the relevance of what we are doing with it.
Consumers are more aware than ever of the value of their information and increasingly understand the nature of value exchange, with 69% happy for brands to use their personal information to send them discounts on relevant products and services*. By instilling a customer-first ethos at the heart of the organisation throughout GDPR preparations, you’ll stand a better chance of long-term success in compliance – more so than by undertaking tick box exercises with the sole purpose of avoiding fines.
As Elizabeth Denham, the Information Commissioner herself, put it: “thinking that GDPR is about crippling financial punishment misses the point… Issuing fines has always been and will continue to be, a last resort.”
Maximum fines will not become the norm and GDPR does not set out to make an example of those who unintentionally fall below its standard.
*Experian/Consumer Intelligence ‘Data Preferences’ Survey, 2016.
Myth 4: All data now needs to be consented & opted-in
It’s a common misconception that marketers will now only be able to use first party data that is opted in: GDPR acknowledges the challenges of this and does not state that organisations need to obtain an opt-in consent for their marketing. You will be able to make use of ‘legitimate interests’ as legal grounds for marketing activity in many instances.
The GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’ – in other words where consent may not be viable. While specific examples of the appropriate use of legitimate interests are not widely discussed in the Regulation, what is unambiguous is the organisation’s obligation to ensure that the data subject’s interests are considered. To demonstrate this, you should be sure that your privacy notices provide clarity to users as well as a clear instruction on how they can opt out.
Legitimate interest is subjective so your organisation should always be able to justify activity and demonstrate consideration of the privacy risks to data subjects.
Myth 5: All individuals have an absolute right to be forgotten
Article 17 of the Regulation refers to the ‘right of erasure’, otherwise known as the right to be forgotten. In contrast to the right to opt-out of marketing communications, erasure is not an absolute right. Processing of data may continue – and indeed be necessary – for a number of reasons, most commonly where data is still required to process a transaction or continue ongoing business activities.
The ICO suggests there are five reasons an organisation may refuse to comply with a request for erasure:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
If you have provided third parties with personal data later requested for erasure, you must also inform any involved agency of the request.
Now you know the truth about GDPR, hopefully it shouldn’t seem as daunting. But you have to be prepared. And you have to start now; by identifying areas of risk now you will have time to implement any procedural and system changes that may be necessary to ensure your organisation is compliant. There’s plenty to think about between now and May, but approached properly, this exercise can bring significant longer-term benefit to your business and customers alike.
GDPR should be seen as so much more than preparedness and a deadline: it represents an opportunity for marketers to improve the relevance and accuracy of data used which, in turn, helps garner warmer leads who are more engaged with your brand and more likely to convert in our new data-driven landscape. What’s not to love about that?
For more information on GDPR, please speak with your account handler.