Debunking 3 Common GDPR Misconceptions

EU-General-Data-Protection-Regulation-2018

With the arrival of the General Data Protection Regulation (GDPR) roll out, agencyQ is working to help dispel some common misunderstandings and misinformation around GDPR. It’s not too late to wrap your head around the subject even if you’re not in a technical or security role at your organization.

We’re starting with this list of common GDPR misconceptions;  next we will be posting a video panel broadcast on May 23rd  to address some additional FUD-based myths surrounding the topic.

 

Here is our list of the three GDPR myths you may have encountered:

 "GDPR is not comprehensible to non-technical individuals"

The General Data Protection Regulation is all about protecting individual privacy. Things get muddled when this concept jumps quickly to very specific data use cases alongside a myriad of additional acronyms like PII (Personally Identifiable Information). At its core, GDPR is a set of rules governing how companies that interact with EU citizens on the internet collect and manage their data.

What sort of data will fall under the General Data Protections Regulation?

  • Name
  • Photos
  • Email address
  • Social media posts and profile information
  • Personal medical information
  • IP addresses
  • Bank details

If your organization is collecting any of this information and working with EU citizens, you need to ensure that the data is being managed in a way that is transparent and in line with the specific list of rules that the EU has assembled. Under GDPR, EU citizens will have rights such as:

  • The right to erasure of the data
  • The right to restriction of how the data is used
  • The right to object to their data being processed or used for marketing purposes
  • Information notices on how their data is used

Once you understand these principles, the rest of the equation becomes applying the requirements of GDPR to your organization's data management system and process, specifically as it applies to EU-based customers or users.

 "GDPR is not important to me because my organization only works with US citizens" 

Since GDPR is currently EU policy only, it can seem like US businesses don’t have much to worry about when it comes to impact. The US businesses most affected by GDPR are those in sectors that have a global scope such as: hospitality, travel, SaaS, and retail. These businesses should make an extra effort to ensure that they are compliant however there are more far reaching implications of GDPR for all organizations in the US.

First, as organizations and access to information continues to grow, more companies will likely be dealing with EU customers and will need to focus on what eventual compliance will look like for their organization.

Second, with the continued legislative scrutiny of data protection happening in the US, it is likely that GDPR will have an impact on data privacy regulations stateside in the near future. So paying attention to how companies are handling data management now can save time and stress in the future.

"GDPR and Marketing are Not Compatible"

Because so much of digital marketing is targeted based on user information and behavioral data, many are overreacting to GDPR fears and deciding that they can no longer run targeted advertising of any type to European audiences. While GDPR will impact ad targeting, there are still plenty of options available to avoid going back to the stone age of untargeted “spray and pray” banner ads.

Permission-based marketing for organization's email and personalization is one key to an organization's marketing compliance. While opt-in permission forms may help solve things for publishers who are able to gate access to their site, for prorammatic platforms that automatically target ads using what GDPR now designates as personal data, permission-based opt-ins may not be viable. 

The solution, more broadly, for digital marketers is a shift away from personal data in their ad targeting. Leveraging targeting segments that group users in ways that can’t be employed to identify an individual will ensure compliance and put them ahead of the pack for potentially more stringent data enforcement policies in the future. Grouping by cohort and targeting in a manner that avoids specific pieces of data that can be used to identify an indivdual, such as IP address, will be essential.

A shift away from PII in ad targeting is expected and we'll likely see more sophistication around group level programmatic ad solutions. This shift does will not spell the end of all targeting, just a pivot point necessitating a change in marketing approach.

Conclusion

As policies move more towards more stringent protection of individuals personal data, it's important that an organization plans for the future beyond May 25th and understands its path towards more transparent and nuanced management of individuals' personal data. Be sure to tune in to our video broadcast, May 23rd, where we'll dive into other common misunderstandings and offer additional perspective on the likely realities of the GDPR compliance roll out.

 

Copyright agencyQ Inc. 2018. The content contained herein is for informational purposes only. Any statements provided by agencyQ or any of its employees cannot be construed as or relied upon as legal advice or counsel.