The GDPR is now enforced and there are lots of misconceptions around the subject. Here are just a few.
- GDPR is all about data subject consent
Consent is only one of six legal grounds for processing personal data. There are many cases in which you would not use consent as a legal ground for processing personal data (because you did not obtain it or do not want to or can obtain it), but instead process data because it is necessary for the performance of a contract, for complying with a legal obligation or because it may be regarded as a legitimate interest for your organisation.
- You should immediately ask permission for sending e-mails
GDPR has little direct effect on e-mail marketing because that is regulated by the Privacy and Communications Regulation (PECR) in the UK which has been in place since 2003. This law is set to be replaced by the ePrivacy Regulation, but that new regulation is still under debate within the EU institutions. If you had gained consent in a manner that was consistent with the new laws or you were using a soft opt-in approach then new emails were unnecessary. The persistence with which suppliers sent out e-mails over the past month asking for a confirmation of your consent suggested they had had poor guidance.
- We do not process personal data so the GDPR does not apply to us
Every organisation will process personal data of your customers and suppliers. Every company processes data of its employees and its customers. Also, take into account that personal data encompass everything that can be potentially be linked to a natural person such as an IP address or even a nickname.
- My organisation is established outside the EU so the GDPR does not apply
Anyone that offers goods or services to data subjects in the EU or if it monitors data subjects in the EU, it falls under the scope of the GDPR. This means that you have to comply fully with the GDPR, and also that you have to appoint a representative within one of the EU. The representative can be either a natural person or a legal person.
- The GDPR is only about data security
Data security is certainly important for complying with the GDPR, but it’s about so much more. It’s also about getting insight into your organisation’s handling of personal data, and about being accountable. Much like book keeping, the GDPR requires you to have detailed insight in what happens with personal data, with what purpose, in what parts of your organisation, and how this relates to the rights and freedoms of the data subject.