The GDPR (General data protection rules), you’ve heard about that by now, no? A lot of website owners are quite nervous about GDPR, me included, because it is complex and quite some folks who call themselves experts state rumors for facts, which adds to the confusion. Reading the legal requirements is not that easy, so let us dispel some myths.
Typical myths about GDPR
Myth 1: “I no longer sell to the EU, so GDPR doesn’t concern me”
I’m an American, so far I also sold products to EU customers but I don’t need to comply to GDPR, because I no longer sell to EU members.
Wrong: Sales to EU members before 25 May 2018 fall under the rules of GDPR, therefore you need to comply.
Myth 2: “GDPR only concerns large organisations”
I’ don’t own a big organization, I don’t have employees, I don’t even sell anything, I just have a hobby website with a newsletter subscription or a membership system.
Wrong: As soon as you deal with personal information from an EU member, be it the registration of an IP address, e-mail and name, you have to comply with certain GDPR rules. Surely, you don’t need to break your head over dealing with sensitive data like social security numbers and that sort of thing and you certainly don’t need to appoint a Data protection officer.
Myth 3: “I don’t collect personal data on my site”
I just show videos on my site, no personal data is gathered.
Reality check: Are you sure of that? In fact, today most sites collect some form of identifiable data. For example, you use traffic analysis on your videos or audios, the player probably sets cookies and/or sends identifiable data to an analysis dashboard or a log, or you use Google analytics of Piwik (Matomo).
Perhaps you have a comment box on your site?
Writing a comment can result in the registration of an IP address, e-mail, username, website and finally the content of the comment itself. This combination might lead to the identification of a person. At that point, at least some rules of GDPR apply, like the right to be forgotten. I.e., the commenter may ask you later on to remove the comment. Which procedure you have in place for that?
Bottom line, it won’t hurt to contact the privacy commission in your country and ask them for advice.
Myth 4: “Google Analytics anonymizes IP addresses”
The GDPR does not apply to personal data that has been anonymized. Google Analytics certainly offers the possibility to anonymize IP addresses, but standard it is not set that way.
For instance, you have to set IP’s to anonymous in the control panel to make sure you don’t collect personal information in traffic reports. Recital 26 explains that:
“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
Anonymization can therefore be a method to limit your risk and it is a benefit to data subjects as well. Anonymizing data wherever possible is therefore encouraged.
Myth 5: “Heavy fines hang over my head”
From 25 May 2018 onwards, huge fines hang over my head when I forgot a little detail.
Exagerated: Elizabeth Denham, the U.K.’s information commissioner, said the following in a blog post (no longer available) from the Ico news site:
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said. “The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
On a personal note: I contacted the Privacy commission in Belgium and they said that they still trying to sort out how certain rules needs to be implemented, so they understand if you don’t get everything 100% right from the start.
That said, if you neglect important rules and an official privacy commission deems that you left out certain measures intentionally, you may end up with a fine, yes.
Myth 6: “Outside the EU, they can’t get to me”
My website is hosted outside the EU, my business also, so they can’t impose their rules.
Wrong mindset: Complying with GDPR rules emanates a seal of trust, also for non- EU customers. In fact, quite some countries outside the European Union are considering currently more or less the same type of rules as private protection becomes an increasingly important issue to most people. Even Asia works on cross-border privacy rules (CBPR) based using GDPR as an inspiration. Therefore, compliance with GDPR is not such a bad idea.
Secondly, the EU claims that it will have the power to force you to comply via your own government. That might be a myth on its own, but it is perhaps better not to find out the hard way.
Myth 7: “All under the same GDPR laws”
In theory, yes. But there are some differences of interpretation between EU countries regarding personal information and local laws may still differ. It will take some time before everyone is on the same page. For instance, some countries state that cookies may not be set before the visitor gives explicit consent (and you must be able to prove that), where others are more lenient.
This makes GDRP compliance quite tricky business, especially when using CMS like WordPress, Drupal or Joomla since all of them set cookies out of the box. We may expect various extensions/plugins that prevent setting cookies initially, and indeed the free E-privacy directive extension for Joomla features this already.
Myth 9: “I don’t need to fill in a GDPR Data Register”
I don’t deal with employees or individuals, I only sell software online B2B.
Although in certain circumstances B2B information may be viewed as non-personal, but as soon as you have EU clients which are self-employed or a personal name from an EU citizen appears after the company name on invoices and/or shopping system, the otherwise neutral company information becomes then personal information. Albeit filling in a GDPR data register becomes required also. There are quite a few templates around but you are free to create your own since almost every business is different. If you have the budget, you might want to hire an external expert to help you out.
The official templates provided by privacy commissions are often meant for big organizations, therefore overkill for small business owners. I tried it, got frustrated, called the privacy commission and got permission to create my own version.
Myths about e-mail marketing
Some myths about e-mail marketing are dispelled in an excellent post by Brandon Olson from Aweber.com:
https://blog.aweber.com/email-marketing/6-myths-gdpr-email-marketing-debunked.htm/ which I used as the initial inspiration to write this article. Although I have doubts about myth 3 in that post, which states that double opt-in isn’t required.
Although it is certainly legally correct, it may create problems. For instance, someone else might sign you up for a newsletter without your knowledge. You might decide to take action against the owner of that newsletter.
PS: MiracleTutorials.com works since the start in 2007 only with double opt-ins and we know from experience that some subscribers forget they subscribed. It’s consoling to have actual proof when you are incorrectly accused of spamming.
Resources on GDPR consulted:
I looked into tons of sites actually, but only list those that have some form of authority, because there are a lot of cowboys out there trying to make a quick sale with unsubstantiated scaremongering (especially law firms).
By the way, if a firm tries to blackmail you into working with them, immediately call the privacy commission they claim to work with and denounce their practices. OK, so here are some interesting resources:
Full course on GDRP organized by the privacy commission CNIL in France (link may become invalid after some time):
Privacy Commission, Belgium:
EUGDPR.org, not an official source but interesting information on controversial topics surrounding GDPR although not everything said on the other pages is necessarily correct (it’s a site with commercial bias):
Official document of the EU commission on the principle of GDPR:
What is personal data – explained by ico.org.uk (excellent resource that minimizes legal speak):
Rules regarding Commerce and marketing by CNIL, the privacy commission in France (in French):
DISCLAIMER: Although I followed a course on GDPR organized by the CNIL in France, I’m not a lawyer and this article does in no way constitute legal advice. Any person using the information contained in this article is solely responsible for independently verifying the information and obtaining legal advice if required.
Author: Rudolf Boogerman