Top 6 GDPR Myths and What Reality Looks Like!

Author: Sonu Rathore | Categories: CMS, Personalization, Big Data, Business Intelligence, Customer Experience, Digital Analytics, Software

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on April 14, 2016. The enforcement date for this has been identified as May 25, 2018. Post this date, organizations that are in non-compliance may be imposed with heavy fines.

"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” - Excerpt from EUGDPR.org

General Data Protection Regulation (GDPR) applies to all organizations processing the data of EU data subjects – not necessarily only to the organizations based in the EU. This will come in effect from May 25, 2018.

What does GDPR mean to organizations?

We, as individual users, are pushing (personal) data into the digital world all the time – be it to shop online, make a banking transaction, share documents/ pictures, and so on. Though we are aware of data privacy and data breach instances, how seriously do we consider it every time we feed data into an online platform? And, it’s not only about individual users being concerned about the misuse of personal data – it’s also about boosting data security at an organizational level.

As per the Data Protection Directive, the ruling that’s currently prevalent, EU member states had the flexibility to implement the directive as they found it fit. This, allowed different organizations to follow distinct methods/approaches to deal with customer data – ranging from securing it to using the information. This distinction, at times, created a lot of ambiguity and gave rise to diverse levels at which data privacy and security was placed. GDPR as a regulation is designed to unify all the different approaches and bring into practice a common standard of data security, which all EU members will strictly follow. This ruling aims to simplify and standardize the guidelines for the protection of personal data.

GDPR myths: Busted!

There’s a lot of buzz surrounding the implementation of GDPR and compliance. Different theories are doing the rounds, some of which are intimidating business owners. We will talk about them in our 3-series blogs on GDPR and compliance Here, I am highlighting a few of the commonest myths that are confusing decision makers in organizations around EU, and elsewhere. Check them out to see if you too were misled…

If you are doing B2B or B2C business where you are managing personal data and work through vendors or third parties, how are you complying with requirements of data protection?

Myth: GDPR is applicable to establishments in EU only

Reality: It’s not enough to just have opt-in consent forms in websites and mobile apps. Clear instructions and easily comprehensible terms and conditions are equally important. The use of simple language is also a prerequisite; children under 16 should also be able to understand the terms effortlessly. However, with children below 16, parental consent is required.

In addition to the language, the design of these forms should be clear and simple – particularly in terms of navigation. One will also need to store/capture agreement information on consent.

Myth: Forgotten data from sources will become simpler

Reality: The user, while unsubscribing and opting-out, expects the company to delete his/her data from all sources – everything that’s saved on devices (laptops/ desktops/ mobile) and everything that’s saved on the cloud. This is one of the riskiest areas; companies are looking for ways to automate this.

Once GDPR goes into effect, organizations will have to have a complete hold on all user data to be able to identify it and erase it from all sources. And this, will be quite a task in itself.

Myth: Someone will certify me and I will be good

Reality: As against other certifications, GDPR is a self-assessment regulation. Companies carrying personal data of EU citizens will need to audit and assess the data at a defined frequency, against the set articles on GDPR with the following controls:

  • Awareness

  • Information you hold

  • Communicating privacy information

  • Individual rights

  • Subject access requests

  • Lawful basis for processing personal data

  • Children

  • Consent

  • Data breaches

  • Data protection by design and data protection impact assessments

  • Data protection officer

  • International

Personalization of data will be difficult

Reality: No; in fact you could now streamline the process and better cater to customers. Going forward, all the data would have to be documented precisely, which means you can better utilize the information to customize the experience for both, the organization as well as the individual customers. With the obtained data, you can personalize it for users who have opted in (for personalization). You can further ensure that there are logs enabled and that the data is traceable from all sources, such as websites, social channels, and others.

With GDPR in effect, websites will require permission to store/ use user information and there shall also be the need for an upfront declaration stating how the data and for what purpose it is going to be used.

There are CMS platforms that can help you to establish the above, such as Sitecore, which comes with GDPR compliance features and allows the storage of information in encrypted form.

Checkout this space for more updates on the use of data post GDPR implementation.