Myth 1: The GDPR regulations don’t go into effect until 25 May 2018.
False. The GDPR regulations entered ‘into force’ on the 25th of May 2016, and the following 2 years were designated as ‘time to comply’ for businesses. While the regulations don’t technically apply until the 25th of May 2018 (next month), you might be surprised to know that if your company is accused of breaching a GDPR regulation now, and can’t demonstrate any efforts to move towards compliance by the deadline next month, this could spell trouble.
Myth 2: The regulations only apply to the EU, or to companies specifically doing business in the EU.
False. The regulations apply globally, and moreover, a GDPR complaint could arise from something as simple as a web based form, even one resulting from an ad click. And if you’re thinking, ‘We only target the U.S. in our digital campaigns’, that might not be enough. Consider screening your web forms for EU based domains, phone numbers and addresses.
Myth 3 : B2B customer data doesn’t count within the scope of GDPR.
False. Consider that the B2B contacts your company has might use a blend of personal and professional information, such as email addresses or mobile phone numbers. If the product you sell is used in a way that interacts with consumer data, there could be pass through liabilities associated with the use of your product. GDPR regulations relate specifically to the ‘processing and recording’ of personal data. You might be surprised how broad that scope can be.
Myth 4: GDPR governs privacy rights of consumers digital personal information.
True. Yes, GDPR contains consumer rights to privacy, erasure of data, etc., but it’s most important and critical elements actually contain duties and responsibilities, with extremely heavy fines involved if non-compliance resulting in a complaint can be established. For example, GDPR grants consumers the right to be notified if a company is breached, and their private data is exposed – however – it also contains very specific duties that fall to the company in question; your supervisory authority (this will vary by case, vertical, and other factors) must be notified within 72 hours of a breach, but factually, all concerned persons also have to be notified, and via public, not private communication. Ouch. Who would want to do that? Sounds like the professional equivalent of being called to the principal’s office. No thanks!
Myth 5: GDPR violations will result in public exposure and fines.
True. Simply stated, the EU was not playing around here with GDPR. To make good on the commitment to the consumers the regulations are designed to protect, they will impose fines that will be “effective, proportionate and dissuasive”. Not maybe, not possibly, but they will. What does that mean, like a couple grand? 100k? Try not less than 10 to 20 million Euro. As of this writing, for a U.S. based company, the highest of those fines would amount to $24,549,60.00 Yeah, I’d say effective and dissuasive about sum that up, wouldn’t you?
So, those are just a few dangerous myths about GDPR that really needed busting. The bottom line is, if you aren’t ready for GDPR, and need to be – don’t take anyone’s word for it – get proof. If you think you are entirely safe from risk of GDPR related violations, make sure. Ultimately, these regulations are a long time coming, and I believe that we’re in part paying for the sins of our digital forefathers. So be it. With the recent headlines and all the talk about consumer privacy these days, it’s about time someone took it seriously. Should it have been us, right here in the United States – yup. Does it matter that other countries took the initiative first? Maybe – because you can bet that a high degree of scrutiny will be placed on companies here related to GDPR violations, not just from consumers whose privacy has been unjustly compromised, but also by less ethical folks hoping to find and trip up companies into violations, for reasons I needn’t explain.
GDPR – take it seriously. That’s no myth.