Busting 3 Myths About GDPR
The General Data Protection Regulation ("GDPR”) is in here! Are you scratching your head trying to become GDPR compliant? In this blog post, I am going to debunk three of our most frequent and misunderstood questions about the GDPR from a marketeer’s perspective and, hopefully, make you feel a little bit more comfortable with the upcoming regulation.
Myth #1: You need consent before you can process personal data
No. In order to comply with the GDPR, you have to identify a lawful basis before you start to process data, but consent is only one of six ways to do it. An alternative for consent is for example;
- You have a legitimate interest (which can be direct marketing purposes)
- You are complying with a legal obligation;
- Processing data is required for the performance of a contract;
All six are equals and it is in generally recommended to rely on the one that's most appropriate for the specific processing you will perform, which is not always consent.
If you conclude that consent is the most appropriate lawful basis for a specific processing, remember that consent per definition is a clear affirmative action which indicates an agreement. So, silence, pre-ticked boxes or inactivity is not OK!
Myth #2: You must re-collect consent from existing customers
Unfortunately, the short and quick answer is: it depends.
If you are using consent as your lawful basis, and you are able to demonstrate that the consent that you have collected meets the GDPR standards by it having a clear purpose, an affirmative action and being withdrawable – then you can rely on your already collected consent.
However, if the consent you have isn't GDPR compliant… well then you don't have consent. So, you will need to either collect a consent or, with reference to myth busted #1, consider whether consent is in fact the most appropriate lawful basis for your business. Maybe it is more appropriate with “processing is required for the performance of a contract” (since it involves your “existing customers”) or a “legitimate interest”?
Myth #3: Opt-in to direct marketing is the same as GDPR consent
No. As a marketeer it might be easy to confuse consent under the GDPR with the opt-ins to direct marketing you have collected over the years from your subscribers (sending emails and SMS etc.). But, do keep in mind that these are two very separate things (and legal topics).
If you have an opted-in email constituting personal data, “legitimate interest” will most likely be the most appropriate lawful basis (out of the six available) for processing of such email for direct marketing purpose under the GDPR. But, the sending of the marketing email to the subscriber as such will rely on the opt-in to direct marketing (to comply with the marketing law, which is something different from than the GDPR).
The GDPR harmonises personal data legislation within the EU, but not marketing law. However, the next big thing after the GDPR will be the ePrivacy Regulation (“ePR”) that will harmonise the marketing legislations within the EU. Stay tuned, for more insights on the ePR coming soon.
Note: This blog post is for inspirational and informational purposes only and does not constitute legal advice nor shall it be construed, or relied, on as such. APSIS accepts no liability for any losses incurred as a result of any reliance made on the information contained herein. APSIS reserves all right to the content of the blog.