Fact or Fiction About Some Key Aspects of GDPR
Unless you’ve completely unplugged for the last year or two, you’ve no doubt heard the term GDPR at least a few times (and probably more than a few).
As with any new legislation, the General Data Protection Regulation has generated plenty of discussion about the new law and how it will impact businesses around the world. Not surprisingly, some of the seemingly common understandings of GDPR are more accurate than others. So, let’s take a look at some of the topics you may have read about and see how they measure up to reality.
One quick note – I, Tom Wozniak (pictured left), am not a lawyer and no information in this article should be taken as legal advice. It is always recommended that companies obtain professional legal guidance on matters pertaining to industry regulation or legislation, like GDPR. With that caveat, let’s get started.
GDPR reaches companies beyond the EU – TRUE
After some initial confusion, I think most people understand that GDPR is not just a regional issue for companies in the EU. Unlike many regulations, GDPR is not reliant on a company having a physical presence in the region in order to be impacted. Technically, if a company collects, stores, or processes any personal data from subjects in the EU, then they must comply with GDPR regarding that data. An important point here is how the GDPR defines ‘personal data,’ which the regulation does spell out with reasonable clarity. It goes beyond what we in the US consider Personally Identifiable Information (PII) to include items like IP Address.
Data I already have in my databases will not be impacted by GDPR – FALSE
A more accurate answer could be “MAYBE FALSE.” It depends on whether the way you have obtained user consent, collected, processed, and stored that data, meet the requirements of GDPR. Just as importantly, you need to have appropriate records, starting with the initial consent, to demonstrate compliance. For example, if you have clear opt-in records from every EU user in your database opting in to receive your email newsletter, and can produce those records upon request, you may be meeting the new GDPR consent standard. On the other hand, if you received an opt-in years ago, but have no current record of it, you probably do not meet the new requirements. This is an area where expert advice should be extremely valuable. You’ve probably noticed a lot of emails in your inbox lately, from companies asking you to confirm your opt-in choices for newsletters and other info. This is largely due to many companies deciding the better route for them was to get all their users to opt-in again, to avoid potential issues.
All requirements are spelled out very clearly within GDPR – FALSE
Most regulations leave some room for interpretation and GDPR is no exception. Certain areas are likely to gain more clarity once the enforcement process comes into play, to set standards about how terms like “reasonable degree of certainty” are to be universally defined. Until that time, companies and their legal advisors must do their best to develop their own working definitions and then adhere to those standards.
No one knows exactly how or when GDPR will be enforced – TRUE
This is really one of the biggest open topics about GDPR. What will enforcement look like? Will one of the national Data Protection Authorities aggressively target a big name company to set an example? Should smaller companies be more concerned about being singled out? No one really knows at this point. Even best guesses from industry insiders are fairly wide-ranging. The general consensus is we won’t know until we know. However, the potential penalties are quite severe, which is one reason companies are taking it very seriously.
I can just hire an outside company to certify us as compliant with GDPR – FALSE
Be wary of companies that guarantee they can deliver GDPR compliance in general, since there are still many unknowns about the regulation and, as mentioned above, there are aspects that are open to interpretation. There are many qualified companies that can help companies in their GDPR initiatives, but none can offer a magic pill that takes care of a company’s readiness overnight. At some point, there may be a defined certification process for GDPR, but it does not exist at this point.
GDPR is not going to be the last major privacy legislation around the world – TRUE
Signs all point to more data privacy legislation around the globe in the months and years ahead. There is a wave of privacy regulation on the horizon from countries in Asia and we are seeing that India also has new privacy laws in the works.
About Tom Wozniak, Executive Director of Marketing – OPTIZMO Technologies, LLC
Tom Wozniak heads up marketing and public relations for OPTIZMO Technologies, a company that delivers the industry’s most robust platform for email compliance and suppression list management to clients throughout the U.S. and around the world.
Wozniak brings over 20 years of experience in the digital marketing arena, having worked for companies across Ad Tech, performance marketing, database marketing, and the traditional agency arena. Prior to joining OPTIZMO, he was VP of Marketing at SpotX, a digital video ad server and programmatic marketplace. He has also held leadership roles with Trueffect, Media Breakaway, Cahners Publishing, and NextAction, among other companies.
Over the years, Wozniak has helped guide multiple startup and growth phase companies through the challenges of rapid growth. In addition, Wozniak has launched several successful endeavors in the real estate investment arena. Wozniak has gained experience in B2B and B2C marketing, sales, business development, client success, and training, across a wide variety of industries. He lives in Denver, CO and is an active real estate investor who also mentors young entrepreneurs.