#188: 10 Common Lies About GDPR

May 25, 2018

#188: 10 Common Lies About GDPR

[one_third padding=”0px 0px 0 0px”]Listen on iTunes[/one_third][one_third padding=”0px 0px 0 0px”]Listen on Stitcher[/one_third][one_third_last padding=”0px 0px 0 0px”]Listen on Google Play[/one_third_last]
I‘m upset.
I rarely get upset so the fact that I‘m upset, is upsetting.
But the amount of lies and fake news around GDPR is upsetting.
I am here to correct these lies and assure you that there is no need to panic.
By now you should now what GDPR is but just to refresh your memory the General Data Protection Regulation is a EU data privacy regulation that goes into affect on May 25, 2018 and aims to protect private persons in the EU. It has worldwide impact in the sense that if you have subscribers or clients from the EU then this law applies to you too.
Legal disclaimer: I‘m not a lawyer and this episode does not replace legal advice. I‘ve been running businesses successfully since 2004 and know how to read the law, dissect information, and make an informed opinion so that it benefits my clients, my business and is in accordance with the law.

10 Common Lies About GDPR

Lie nr.1
GDPR only applies to EU citizens so you just need to segment your list.
>> No! This regulations applies to anyone who finds themselves in the EU, also travellers. Therefore the advice of some lawyers that you segment your list based on where people live doesn‘t really work. My company is not based in the EU as Switzerland is not in the EU but I spend a lot of time in the European Economic Area as Iceland is a part of EEA and this law also covers those who find themselves in the EEA. This means that my data should be protected by GDPR, plus Switzerland is coming out with a law very similar to GDPR. The effort of segmenting your list and only protecting the data of some people and not others therefore doesn‘t make any sense as you‘ll always have exceptions. And it is actually the exceptions that make the segmentation a risky practice.

Lie nr.2

You‘ll be fined 20M€ or 4% of your worldwide turnover.
>> No! It is very, very unlikely that you’ll be fined at all – ever. If somebody complains about you then it doesn’t mean that the data privacy authorities will immediately start an investigation. They will prioritize cases that are high profile and impact more people and are more likely to result in high fines and media coverage. And if they decide to investigate you and find something wrong, then you’ll first receive a warning without any fine and have the opportunity to correct whatever you did wrong. If you fail to correct what you are doing wrong or if there is another incident soon thereafter then the likelihood of a fine goes up. And still the data privacy authorities will look at the size and impact of your business and issue a fine that is in proportion to your revenue. If your business is based outside the EU it is also questionable how this is going to work but threatening those big fines is surely making businesses pay attention to data privacy and that’s the whole purpose of the regulation!
Lie nr.3
You have to ask everybody on your list to opt in again.
>> No! You do not need to ask previous and current clients to opt in again as you can use the lawful basis of a contract and legitimate interest to keep your clients up to date and send marketing emails until they decide to opt out. Regarding subscribers who are not yet clients it is debatable whether you need to ask them to opt in again or not. If you have record of when, where and how they opted in, you do not need to the ask them to opt in again. If you have been moving between email systems and/or do not have any records of when, where and how they opted in then it is safer to ask them to opt in again. But be careful, the very act of asking for a reconsent, means that you don’t have the legal grounds to email them in the first place, so asking for reconsent when you don’t have to, is not wise.
Actually I just heard a great analogy about this today from a client of mine. Asking for reconsent from your subscribers when the data privacy law changes is like asking someone you are already married to, to marry you again when the marriage law changes.
Yes that does sound ridiculous… and so does reconsent and that’s my opinion.  
Lie nr.4
You cannot offer freebies any longer to build your email list.
>> No! The regulations says that you cannot bundle offers but that doesn’t mean that you cannot offer freebies anymore. The idea behind the no-more-bundling is to stop the common practice of big companies to share your data with their subsidiaries and affiliated companies. So if you have been sharing email addresses with affiliates or sending emails about completely unrelated offers then you need to stop that right now. You need to be transparent at the point of signup of what is going to happen when they sign up for the freebie so your subscribers are not surprised when they get marketing emails from you.
Lie nr.5
You have to use a double opt in.
>> No! There is no mention of double opt in the regulation and therefore no need to start to use a double opt in if you weren’t using it before. Some countries demand double opt in so look up the law in the country where your business is registered if you aren’t sure. Even if GDPR doesn’t demand it, it may be wise to use double opt-in to have a cleaner list at the risk of a percentage of your list never confirming their email address and still wanting to receive emails.
Lie nr.6
You need to use tick boxes.
>> No! There is no mention of tick boxes in the regulation so I am stunned at how many lawyers and software companies are talking about tick boxes. Tests have shown that there is already tick box fatigue among subscribers, either people tick yes to every box or they tick none and then the intent of the regulation is already lost. If you really want to use tick boxes, for reasons beyond me, they cannot be pre-ticked and if no box is ticked you still need to deliver on your promise. Instead of tick boxes I suggest you have a very clear wording at the point of signup and have the option in your emails to sign up for other interesting offers you might have.
Lie nr.7
You need a cookie bar.
>> No! There is no mention of a cookie bar in the regulation because the whole discussion around cookies is covered by another law, PECR, coming out in 2019. Even if you don’t need to have a cookie bar you may want to have one, especially if it is already a common practice in the country where your business is registered. Currently most cookie bar plugins do not stop the loading of cookies and are just informative which renders them useless as you don’t have a choice whether the cookies are loaded or not. It is likely that next year cookie bar plugins will be completely unnecessary when the function of turning cookies on and off will be a part of the browser and not down to the implementation of each business. In any case, what you need now is a cookie policy as a part of your privacy policy.
Lie nr.8
You cannot use Facebook retargeting ads.
>> No! There are many ways to use Facebook retargeting ads and you need to mention all the methods you want to use in your privacy and cookie policy as some require an email address, some a cookie and some an interaction with your Facebook page. Using Facebook ads is based on legitimate interest which means that your subscriber has shown interest in a product or a service and you are now reminding them with your retargeting ads.
When someone opts out of your list then you need to update your custom audience retargeting list in Facebook as they have retracted their consent for you to market to them. At this point there is no way to opt out of retargeting for website visits unless you have a cookie bar plugin that gives that option but then you are basing the retargeting on consent and not legitimate interest. And lastly any kind of retargeting after an interaction on Facebook is based on consent the subscriber has given Facebook and not you. Overall this area is grey and will become a lot clearer in the coming months and years as people want to continue to see relevant ads and targeting as we know it now will not go away but people will be better informed and that is also the goal of the regulation.
Lie nr.9
You cannot use Google Analytics any more.
>> No! GDPR categorizes IP addresses as personal data and therefore some are suggesting that you cannot use Google Analytics anymore to track the use of your website. This is not true as you can easily tell Google Analytics to anonymize IP addresses of website visitors. At the same time you should use the opportunity to digitally accept the contract with Google Analytics which you’ll find in the admin area of your dashboard. When subscribers sign up for your email list then their IP address will be logged as before but there is no need to log individual IP addresses of people who just visit your website and don’t sign up.
Lie nr.10
If a client asks you to delete their data you need to comply.
>> No! Accounting law supersedes data privacy laws in a sense that you need to keep record of accounting data for a certain number of years, most often six years but in Switzerland it is even 10 years. Aside from accounting law you also cannot delete data if it abuses the rights and freedoms of a third party. If the request for deletion comes from a subscriber who is not a client and deleting the data doesn’t hurt anyone else then you need to comply but also remember to keep a record of minimal data about the deletion request itself.
GDPR is about a lot more than just marketing and it is important that you inform yourself and take the necessary steps to become GDPR compliant. Compliance is not about doing everything perfectly but about showing – if and when the data privacy authority check on you – that you’ve done your best to comply.
In order to help you fulfill this task I’ve decided to give you FREE & INSTANT ACCESS to the GDPR Masterclass that I did for my SOMBA community recently. SOMBAs loved the masterclass and I know you’ll love it too. Sign up below.

Learn More about GDPR for Free!

Want to learn more about GDPR and how you can become compliant? Learn our “no panic” strategy for becoming compliant with the new EU data privacy regulation with our FREE 90-minute GDPR Masterclass. Click here to sign up for instant access!

Please share, subscribe, and review on iTunes

Thank you for joining me on this episode of the Sigrun Show. If you enjoyed this episode please share, subscribe and review on iTunes or Google Play Music so more people can enjoy the show. Don’t forget to follow and connect with me on Facebook, Twitter, and Instagram.

Follow ME