It’s a little over one month until the new rules around data protection (GDPR) replace the current legislation and yet some interesting myths have appeared, confusing large and small organisations alike.
Here at Gold-Vision, we are helping hundreds of companies conquer their GDPR compliance challenge using the new automated compliance tools found in our latest release. We’re also coming across some common areas of confusion, and in this post,
Top 10 GDPR myths, busted
Myth 1: We are only business to business (B2B) so it doesn’t affect us
Busted! If you are storing data about real, living people in the EU, GDPR applies to you, regardless of whether it’s in a personal or professional capacity.
Myth 2: I need to get everyone’s consent, that’s the best approach
Not so fast! It may be the best approach in some cases but there are six different categories of ‘lawful basis’ and you can select which is best for your different kinds of contacts.
Also, remember that consent needs to be specific, between equal parties, and as easy to revoke as to give.
Myth 3: GDPR is about managing opt-ins for email
Not quite! Opt-ins for email marketing have their own set of different regulations and opt-in is related to those.
GDPR is a close relative, but it’s a different set of rules governing how you manage data concerning your contacts: clients, prospects, suppliers, employees, event attendees – anyone. The new ePrivacy Regulation (ePR) was originally going to come in at the same time as GDPR, which is why a lot of the focus was on marketing; but for now, it’s still PECR.
Myth 4: Our website agency has sorted this out for us
Hold on, even the most amazing web agency can’t take care of everything for you.
Deciding your data policies, how long you plan to keep people’s information, whether you should remove some of your less relevant information is not something that you should be letting others’ decide for you. And what about contact information not connected to your website, such as your field sales team’s contacts, your employees, your telephone enquiries?
Myth 5: All our employee data is sorted, we are compliant now
Good start but still no cigar! Employee data does need attention, but I’m guessing that’s not the only contact information in your business?
GDPR compliance is a combination of business decisions, perhaps re-writing some of your policies, and then some practical work to manage your data well. Take another look at Myth 4 for a reminder of the different data sources you need to consider.
Myth 6: On May 25th all the rules around marketing emails change
Wrong rules! As mentioned above (in Myth 3) the new ePrivacy Regulation – which does regulate marketing emails – was originally planned to come in at the same time as GDPR does on May 25th 2018.
However, that plan changed so, for now, it’s still the old Privacy and Electronic Comunications Regulations (PECR) rules in place for email marketing. The new version hasn’t been written yet and there is currently no planned release date available. There is an update for PECR though, and the definition of consent has changed.
Myth 7: We are based in the USA (or Canada, China, Australia, – anywhere!) so GDPR rules don’t apply to us
Well that depends! What you do with your fellow countrymen is up to you, but if you are processing data about EU residents, then yes, this means you too.
The ICO website states specifically that GDPR ‘applies to organisations outside the EU that offer goods or services to individuals in the EU’.
Myth 8: There is loads of free advice about GDPR
There is, but… there is also some really bad advice circulating. (Which is partly why there are so many myths and misconceptions circulating about GDPR).
If you’re not sure, we recommend that you go straight to the source – the Information Commissioner’s own website. Here you’ll find a section ‘For organisations’ which helpfully covers your GDPR obligations and how to compy, as well as detailing exemptions.
Myth 9: This is a lot of fuss about nothing, like the ‘Millennium Bug’ all over again!
Brave call! Unlike the Millennium Bug, this is definitely happening. You may not need outside contractors working round the clock, but you should do something about these new rules, they take effect pretty soon.
In fact, Information Commissioner, Elizabeth Denham cautions businesses not to focus on the enforcement date, instead advising that “GDPR compliance will be an ongoing journey… unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.”
Myth 10: The company IT system providers say our system is already compliant.
Hmmm. It’s a good start that your system is secure, but that’s only a part of the story. There are new things to consider, such as the Purpose: what is my lawful basis for holding this piece of data, and how long can I keep it?
Now consider that you need to do that for every contact you hold, and it becomes clear that this could take you a while!
Make GDPR work for your business
Fortunately, Gold-Vision CRM has a convenient set of tools to help you put your GDPR policies into action. It uses clever automation to take the work out of updating thousands of contact records, then it actively monitors your compliance status, warning you in advance of any records which need attention.
Arrange a demo and find out how Gold-Vision CRM makes complying with the new rules as easy as 1-2-3!