GDPR, do you need to comply? Some common myths dispelled!

Update 1 August 2022
The GDPR (General data protection rules), you’ve heard about that by now, no? A lot of website owners are quite nervous about GDPR, me included, because it is complex and quite some folks who call themselves experts state rumors for facts, which adds to the confusion. Reading the legal requirements is not that easy, so let us dispel some myths.

Typical myths about GDPR

Myth 1: “I no longer sell to the EU, so GDPR doesn’t concern me”

I’m an American, so far I also sold products to EU customers but I don’t need to comply to GDPR, because I no longer sell to EU members. 

Wrong: Sales to EU members before 25 May 2018 fall under the rules of GDPR, therefore you need to comply.

Myth 2: “GDPR only concerns large organisations”

I’ don’t own a big organization, I don’t have employees, I don’t even sell anything, I just have a hobby website with a newsletter subscription or a membership system.

Wrong: As soon as you deal with personal information from an EU member, be it the registration of an IP address, e-mail and name, you have to comply with certain GDPR rules. Surely, you don’t  need to break your head over dealing with sensitive data like social security numbers and that sort of thing and you certainly don’t need to appoint a Data protection officer.

Myth 3: “I don’t collect personal data on my site”

I just show videos on my site, no personal data is gathered.

Reality check: Are you sure of that? In fact, today most sites collect some form of identifiable data. For example, you use traffic analysis on your videos or audios, the player probably sets cookies and/or sends identifiable data to an analysis dashboard or a log, or you use Google analytics of Piwik (Matomo).
Perhaps you have a comment box on your site?
Writing a comment can result in the registration of an IP address, e-mail, username, website and finally the content of the comment itself.  This combination might lead to the identification of a person.  At that point, at least some rules of GDPR apply, like the right to be forgotten. I.e., the commenter may ask you later on to remove the comment.  Which procedure you have in place for that?
Bottom line, it won’t hurt to contact the privacy commission in your country and ask them for advice.

Myth 4: “Google Analytics anonymizes IP addresses”

The GDPR does not apply to personal data that has been anonymized. Google Analytics certainly offers the possibility to anonymize  IP addresses, but standard it is not set that way.
For instance, you have to set IP’s to anonymous in the control panel to make sure you don’t collect personal information in traffic reports. Recital 26 explains that:

“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

Anonymization can therefore be a method to limit your risk and it is a benefit to data subjects as well. Anonymizing data wherever possible is therefore encouraged.
Disadvantage: anonymizing IP addresses gives less accurate information with respect to the visitor’s country. If this is really important to you, you might consider not to anonymize. The privacy policy on your site certainly needs to explain how to opt-out in that case.

Myth 5: “The fines”

Fact is that the privacy commission started to target websites and quite a few heavty fines where delivered already in 2022. Some web owners complained that the fine was higher than the revenue they gathered in one year. So be careful out there!
If you neglect important rules and an official privacy commission deems that you left out certain measures intentionally, you may end up with a fine of 15,000 euros or higher.

Myth 6: “Outside the EU, they can’t get to me”

My website is hosted outside the EU, my business also, so they can’t impose their rules.

Wrong mindset: Complying with GDPR rules emanates a seal of trust, also for non- EU customers. In fact, quite some countries outside the European Union are considering currently more or less the same type of rules as private protection becomes an increasingly important issue to most people. Even Asia works on cross-border privacy rules (CBPR) based using GDPR as an inspiration. Therefore, compliance with GDPR is not such a bad idea. 
Secondly, the EU claims that it will have the power to force you to comply via your own government. That might be a myth on its own, but it is perhaps better not to find out the hard way.

Myth 7: “All under the same GDPR laws”

In theory, yes. But there are some differences of interpretation between EU countries regarding personal information and local laws may still differ. It will take some time before everyone is on the same page. For instance, some countries state that cookies may not be set before the visitor gives explicit consent (and you must be able to prove that), where others are more lenient.
This makes GDRP compliance quite tricky business, especially when using CMS like WordPress, Drupal or Joomla since all of them set cookies out of the box. There are various extensions/plugins that prevent setting cookies initially, and indeed the free E-privacy directive extension for Joomla features this.

Myth 8: “A privacy policy is only for cookies”

A privacy policy is only for cookies if you gather no personal identifiable information. If you do gather personal information, you need to explain every nut and bold about the data you collect. Have a look at our Privacy policy as an example. You are welcome to use this example as a basis, but for each website the situation is different, so most certainly you will need to adapt it substantially. WordPress 4.9.6 also offers a template for a Privacy policy that is very useful.

Myth 9: “I don’t need to fill in a GDPR Data Register”

I don’t deal with employees or individuals, I only sell software online B2B.  

Although in certain circumstances B2B information may be viewed as non-personal, but as soon as you have EU clients which are self-employed or a personal name from an EU citizen appears after the company name on invoices and/or shopping system, the otherwise neutral company information becomes then personal information. Albeit filling in a GDPR data register becomes required also. There are quite a few templates around but you are free to create your own since almost every business is different. If you have the budget, you might want to hire an external expert to help you out.
The official templates provided by privacy commissions are often meant for big organizations, therefore overkill for small business owners. I tried it, got frustrated, called the privacy commission and got permission to create my own version.
What you need to think about is to anticipate every conceivable thing that can go wrong. Online security breach, offline security breach, break-in, etc… and provide an answer how you are going to handle that.

Myths about e-mail marketing

Some myths about e-mail marketing are dispelled in an excellent post by Brandon Olson from Aweber.com:
https://blog.aweber.com/email-marketing/6-myths-gdpr-email-marketing-debunked.htm/ which I used as the initial inspiration to write this article. Although I have doubts about myth 3 in that post, which states that double opt-in isn’t required.
Although it is certainly legally correct, it may create problems.  For instance, someone else might sign you up for a newsletter without your knowledge. You might decide to take action against the owner of that newsletter.
PS: MiracleTutorials.com has stopped using a newsletter and all data regarding that has been destroyed.

Resources on GDPR consulted:

I looked into tons of sites actually, but only list those that have some form of authority, because there are a lot of cowboys out there trying to make a quick sale with unsubstantiated scaremongering (especially law firms).
By the way, if a firm tries to blackmail you into working with them, immediately call the privacy commission they claim to work with and denounce their practices. OK, so here are some interesting resources:

Full course on GDRP organized by the privacy commission CNIL in France (link may become invalid after some time):
https://www.fun-mooc.fr/courses/course-v1:CNAM+01032+session01/about

Privacy Commission, Belgium:
https://www.privacycommission.be/en/privacy-topics

EUGDPR.org, not an official source but interesting information on controversial topics surrounding GDPR although not everything said on the other pages is necessarily correct (it’s a site with commercial bias):
https://www.eugdpr.org/controversial-topics.html

Official document of the EU commission on the principle of GDPR:
https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679

What is personal data – explained by ico.org.uk (excellent resource that minimizes legal speak):
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/

Rules regarding Commerce and marketing by CNIL, the privacy commission in France (in French):
https://www.cnil.fr/fr/thematique/commerce-marketing

DISCLAIMER: Although I followed a course on GDPR organized by the CNIL in France,  I’m not a lawyer and this article does in no way constitute legal advice. Any person using the information contained in this article is solely responsible for independently verifying the information and obtaining legal advice if required.

Author: Rudolf Boogerman

Leave a Comment