GDPR myths and misconceptions
Starting with May 25th a lot of misinformation regarding GDPR has been spread, so getting compliant proved to be overwhelming.
This is especially for marketers that have to deal with a plethora of new applications and technologies whose data processing terms and standards are not very transparent and/ or easy to understand.
Let's try to demystify some oh these myths and misconceptions.
“Personal data” = personally identifiable information
A tracking cookie is also personal data. Now, how many apps you use that track users?
Under GDPR, personal data has a wide definition, encompassing a variety of data that refers to: any information relating to an identified personal (name, surname, ID number etc.) or any information relating to someone who could be identified based on a series of identifiers (e.g. online identifiers such as IP address, geolocation, cookies etc.)
“Personally identifiable information” (PII) is only limited to name, address, passport number, driver’s license number, social security number etc. and it refers to identified individuals, whilst “personal data” under GDPR is significantly broader and includes identifiers that, combined, can lead to the identification of an individual (it can be a cookie - one of many forms of online identifiers, an email address, a person’s location, occupation, gender, a physical factor etc.)
The common misbelief is that compliance on digital properties equals cookie consent. Even though popular, cookies are simply a storage mechanism and they do nothing.
All the processing that happens during a user’s visit on a website implies that cookies are caught, but so are many other bits of data that can be processed (for each external resource loaded on a webpage the browser passes information to third parties’ servers including the user’s IP address, currently visited page, browser type, device type, operating system, language settings, all the cookies set by that respective domain in the user’s browser etc.)
Asking consent from your users will ensure GDPR compliance
Wrong. First of all, asking for appropriate consent will ensure your lawful basis for processing, not make you GDPR compliant.
Secondly, if you use certain technologies that do profiling and automated decision-making, that notice cannot be perceived as valid consent, leaving you out of legal grounds (read more about these technologies and applications here).
EDPB (The European Data Protection Board) states that “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.” So continuing the use of a website does not equal valid consent and this notice solely will definitely not make your website GDPR compliant.
GDPR only applies to companies based in EU
GDPR affects any company, no matter where they are located, if they offer goods or services to consumers in the EU. Although it concerns the personal data of people living in the EU, it actually regulates the gathering and processing of this data, regardless of where it takes place.
GDPR compliance is just the data controller’s responsibility
It’s true that data controllers have the primary responsibility of processing the personal data in conformance with the law. However, this does not fully exempt the processor’s liabilities.
Under the GDPR, processors now have direct statutory obligations and are required to provide certain technical or organizational measures (including keeping records of processing activities, reporting data breaches to controllers etc.) More details about controllers’ and processors’ responsibilities here.
Remember that roles and responsibilities often change, especially in digital marketing and complex processing chaining. A data processor exceeding the controller’s mandate will become a joint-controller (also known as “co-controller”). And joint controllers must enter into an arrangement reflecting their responsibilities for complying with the GDPR.
If you have a question, feedback or suggestion, let us know
we'll try to provide you with an answer and if it's something of interest for more people, we'll probably publish an article too.get in touch →
Meanwhile, do check out our GDPR compliance solution as well as our other articles on the topic.Avandor Consent solution → GDPR vendor database →
Georgiana BedivanHead of Compliance
We've struggled to understand GDPR so you won't have to. Learn from our experience →
Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...read more
The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.read more
Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.read more
Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.read more
Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.read more
As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.read more
Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.read more
As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.read more