Debunking 5 Common Misconceptions About GDPR

As we wrote here recently, the European Union’s General Data Protection Regulation (GDPR) places serious restrictions on how a business can use information it has on customers and clients and imposes tough penalties on companies that violate the rules. While the requirements of the GDPR are stringent, there are some common misconceptions many executives in both North America and Europe have about what the regulations allow and what tactics are strictly off limits.

As a GDPR attorney advising clients that are concerned about the impact of the new rules, I have heard executives express numerous misconceptions about the new rules. This should clear up five of the most-common GDPR misconceptions.

Misconception: GDPR only covers E.U. citizens. In fact, the GDPR never mentions E.U. citizens but it does refer to people in the European Union: This includes citizens, resident non-citizens and visitors. Thus, if I go to Europe and register at a hotel in, say, Frankfurt and the hotel creates a guest file on me that it keeps, I am protected by the GDPR even though I am an American citizen. So, a U.S. developer or vendor who sells a CRM system to a European business must ensure that it will be compliant with the new E.U. rules on data protection or face fines and destructive publicity; likewise, a U.S. company that collects identifiable information about European customers will have to comply with the GDPR.

Misconception: GDPR’s steep fines will hit many companies. While fines for non-compliance can reach four-percent of total worldwide revenue (capped at about US$26.6-million), the officials who enforce the GDPR are likely to levy them only when a company flagrantly ignores the law or doesn’t report a breach and data leak that affects an individual’s “rights” to the E.U.’s Information Commissioner’s Office.

Misconception: Consent is needed before using data to send a marketing email. It’s true that the GDPR has very precise rules for collecting and using customer data. And obtaining explicit, opt-in consent is a sure-fire way to avoid tangling with the E.U.’s Information Commissioner until detailed regulations are published later in 2018. Meanwhile, there are other ways to feel comfortable using customer data without receiving direct consent. The exceptions are fairly complicated so it’s best to talk with a GDPR attorney if you are at all concerned or unsure how to proceed.

Misconception: Every business in Europe or doing business there needs a Data Protection Officer: It’s not always necessary, and even the European Commission recognizes this by listing specific instances where a company must hire a Data Protection Officer. But if how you use identifiable customer information isn’t on the list, all that may be necessary is to assign someone the responsibility for ensuring compliance with the GDPR. Again, it’s best to talk with a GDPR attorney to ensure you are taking the rights steps.

Misconception: GDPR applies only to personally identifiable data. It’s not just someone’s name and address – physical or email – that is covered by the GDPR. The regulation’s definition of personally identifiable information is broad, and includes someone’s IP address and whether or not the organization uses cookies for tracking individuals.

In some respects, the GDPR merely extends the E.U.’s tough privacy rules that have been in force for nearly two decades. Adapting to the new regime should not be that difficult for most companies that have been in the CRM and ERP business for a while. And given the disaster of how Cambridge Analytica misused Facebook’s data, it is highly likely that the United States and Canada may implement laws similar to the GDPR. So, coping with Europe’s regulations might be viewed as both a warm-up and an early warning that data protection must be treated as a serious management concern.

By Marcus Harris