GDPR has a serious PR problem. From the dominating narrative surrounding this impending law, you would think it’s ominously looming over organizations across the globe like the sinister, tentacled black cloud monster that terrorizes the kids from “Stranger Things.” It is true that no one really knows exactly what is going to happen once the General Data Protection Regulation (GDPR) comes into force on May 25. To further complicate matters, the people who wrote the law weren’t necessarily technologists, nor could they foresee edge cases where law and reality don’t align.
This leaves us all waiting to see who will be the first businesses investigated and fined under the new regulation, and how those initial cases will bring clarity to aspects of the new law that are currently murky or uncertain.
I’ve spent quite a bit of time understanding GDPR over the past year in my role as a vice chair at the Messaging, Malware, Mobile Anti-Abuse Group (M3AAWG). I’ve also been actively involved in educating internal teams at my company and our customers about what compliance will entail. The only way businesses can truly begin taking a level-headed, strategic approach to GDPR preparation and compliance is to separate the facts about the impending law from all of the myths that have been circulating. Here’s how to distinguish between the two:
Fiction: GDPR’s regulations will crush businesses
Fact: Though it is a law, GDPR was designed to replace the EU Data Protection Directive. The difference between directives and regulations is important. Directives are EU-wide guidelines that serve as the base law and as suggestions to each country, with room for country-specific variations. Regulations cover the entire EU and serve as the base law with slight allowances for greater protection variations among member states.
The law wasn’t designed to stifle business; rather, it was written in such a way to ensure that businesses limit what data they collect, how they use it, and how they protect personal data. Since laws are often updated and defined based on how they’re enforced, some of the more nuanced bits of the law will become evident once the supervisory authorities (SAs) and European Data Protection Board (EDPB) bring actions against businesses based on infractions of the law.
Fiction: GDPR is just an “IT problem”
Fact: Of course, when people hear the word “data,” they automatically equate it with IT. But as our personal lives (and data) become increasingly digital, GDPR is a natural response to this massive cultural shift. More and more, people are starting to take an active interest in how businesses are obtaining, storing, processing, sharing, and using their data. These implications are much larger than a simple IT issue — GDPR reflects the significant responsibility the EU places on businesses to treat individual data as sacrosanct.
Fiction: GDPR only relates to data that users consciously provide to a business
Fact: Bad news for individuals: Just because you didn’t actively provide a business with your personal data doesn’t mean they don’t have any insights about you at all. Good news for individuals: GDPR applies to all personal data that is collected, generated, or related to you, whether it was consciously provided or not.
Fiction: U.S. companies that don’t do business in the EU are exempt
Fact: U.S. companies don’t get off that easy. If a business markets to or monitors even a single customer who lives in the EU, that organization is liable under GDPR. And GDPR’s territorial footprint could leave companies unwittingly exposed. For instance, a French citizen living in Los Angeles isn’t covered by GDPR, but an American living in Paris is.
Fiction: All personal data is equal under GDPR
Fact: GDPR has two distinct classifications for personal data: personal data and “sensitive personal data.” Personal data encompasses things like IP addresses, street addresses, names, and phone numbers. Sensitive personal data includes things like ethnic origin, political opinions, religious beliefs, and sexual orientation. Differences arise between how these types of personal data can be used or stored under GDPR. For example, sensitive personal data can’t be used by organizations when making certain kinds of decisions, such as approving someone for a loan.
Fiction: A double-opt in option for consent is mandatory for email marketers
Fact: While this is undoubtedly a best practice for all email marketers, the GDPR law is open to interpretation in regards to consent for marketing. What’s clear is that, where businesses rely on consent for collection and processing, a data subject’s consent must be “freely given, specific, informed, and unambiguous.” Email marketers should also be mindful that people change their minds about their personal data and have the right to withdraw consent.
Thus, if you are relying on consent to process personal data, you can think of double opt-in as a means to comply with the requirements of GDPR to gain consent that is freely given, specific, informed, and unambiguous. But double-opt in isn’t absolutely required if you can fulfill that consent requirement in another way.
Fiction: You don’t need a Designated Protection Officer (DPO)
Fact: The role of the DPO is to ensure that a company is in compliance with GDPR and that adequate protections are in place for processing personal data and sensitive personal data. Naming your IT director as your DPO sounds like a solid plan; however, GDPR is much more than technical controls to ensure data security. The DPO must understand GDPR and be ready to interface with the supervisory authorities in Europe should an inquiry be opened. The real answer to whether you need a DPO or not is: it depends. Much of the standard for having a DPO revolves around the idea of large scale data processing or monitoring, but what defines ‘large scale’ remains unclear.
Fiction: Once you’re compliant, you’re done
Fact: GDPR compliance will be a marathon, not a sprint. When the law finally goes into effect, we will have a better understanding of how enforcement will work and how the fines for non-compliance are levied. This means that GDPR-compliance will be a process that evolves over time, and will require an ongoing commitment to actively adjust to the terms of the law as necessary.
Don’t be afraid to seek outside guidance and counsel when it comes to GDPR — after all, people are describing the change as a “seismic shift,” and that isn’t hyperbole. Change can be frightening, but it can also highlight places where your own data handling practices have been lacking and help bring you in line with today’s requirements on both a legal and technical front.
Len Shneyder is VP of Industry Relations at SendGrid.