Disclaimer: this is informed advice but not legal advice.
More Documents about the General Data Protection Regulation (GDPR):
The reality about the GDPR: Correcting the Myths
There are a lot of unfortunate myths about the GDPR and I’ll try to correct some of them.
- Myth: You need to make your privacy page even bigger.
Fact: exactly the opposite: long privacy pages and those using legal language are NOT compliant. The GDPR "requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language” be used. Keep text short enough that most people will actually read it (i.e. extremely short) and simple enough that a stupid person will understand. Summarize, avoid detail, use short sentences and simple words.
- Myth: The GDPR is about privacy.
Fact: The text only mentions privacy in one footnote, where it references another directive with privacy in the title. You DO need to keep data securely protected; you DON’T need to target privacy, e.g. by allowing anonymity. But you should keep using terms like “privacy page” because that’s what users expect.
- Myth: the GDPR is for EU residents.
Fact: citizenship and residence are irrelevant. The text says people “in the Union”, so holidaymakers in Europe may be protected. You should get legal advice on this issue if you think you can ignore the GDPR because you have no customers normally resident in Europe.
- Myth: Data Processor contracts can be under US Law.
Fact: the GDPR text says, “Processing by a processor shall be governed by a contract or other legal act under [European] Union or Member State law”. Non-EU Data Processors who don't yet offer contracts under EU law, please note.
Background: there is debate about this. It could be a drafting mistake, where the wording was intended to have an extra comma after "contract", meaning it's only the latter alternative that has to be under European law. But to me that seems unlikely, because then the ICO in the UK would have published clarification and they didn't, so it seems clear that both alternatives have to be under EU law. I have checked with the ICO by the way.
- Myth: You need to report all personal data breaches and there’s a hard limit of 72 hours.
Fact: You only need to notify serious data breaches, “likely to result in a high risk to the rights and freedoms of natural persons”. The real time limits are that you must notify data subjects “without undue delay” and inform the supervisory authority “without undue delay and, where feasible, not later than 72 hours after [your data controller was] aware of it”.
- Myth: marketers need consent for everything.
Fact: Almost all first-party marketing (e.g. personalization) should be done without consent, as a “legitimate interest”, because that is simplest for marketers. But consent is needed for some contacts, e.g. off-site marketing that is disruptive. Here's the relevant GDPR text about legitimate interests:
"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest"
"Processing shall be lawful only if ... at least one of the following applies ... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject".
- Myth: Data collection needs consent.
Fact: No it doesn't. Consent is not necessary for personal data collection - processors will usually do this as a "legitimate interest". You do need to tell persons what data will be collected and what it will be used for - using clear and plain language - but consent is not needed unless you use the data for intrusive marketing such as many types of bulk emails. (Here are the relevant sections from the GDPR).
- Myth: All email marketing needs consent.
Fact: B2C bulk email does need consent because it's disruptive, but the following can often be done as a legitimate interest. The GDPR explains it as follows,
"The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller". So if the data subject expects to receive emails, you can consider using "legitimate interests" to send them.
B2B bulk email, if you can prove that people are being contacted because of their job, not who they are, and they need your product. (See the following myth for more detail).
Transactional (triggered) emails where individuals are contacted as an extension of the recent “conversation” that they had with your website.
- Myth: historic consent is worthless for email - you must renew it under GDPR.
Fact: it's a very, very, very good idea to renew individual consent, so please do it, but it is not absolutely essential. Document your actions if you use the following alternatives:
If you can prove that an individual's historic consent was up to GDPR standards, then you can keep on using it to email them.
Marketers - especially B2B marketers - can also email individuals if there's a "legitimate interest". This requires doing a "Legitimate Interests Assessment" (LIA) - basically listing and balancing the interests of the brand and the individual (e.g. the marketing is relevant to the individual, and both the brand and the individual's company may make more money) against the interests of the individual (e.g. they may consider it spam and get annoyed). NB: if an individual previously gave consent, even if not up to GDPR standards, and has never complained/unsubscribed - then this is evidence that they don't mind being emailed, so you are more likely to be able to email them as a "legitimate interest". As I said above, if the data subject expects to receive emails, you can consider using "legitimate interests" to send them.
- Myth: You need consent from data subjects to change data processors, because that will involve passing personal data to a different organization.
Fact: No you don't. Here is my conversation with the ICO.
You are now chatting with ico_xxxx
Pete Austin: Hi xxxx. The question is one I'm getting asked a lot.
Pete Austin: I am acting as data controller for a website, implemented by several data processors. Under the GDPR, will I need to tell data subjects about these data processors, e.g. on my privacy page? And will I need to get consent from the data subjects to change a data processor?
ico_xxxx: Hello, you should be transparent, here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ However, you don't need individual consent to change processors.
Pete Austin: Thanks. Have a good day
- Myth: the GDPR requires individual cookie consent.
Fact: no it doesn't. Cookies are mentioned only once in the GDPR, in the following quote, "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers..." Just as there is no GDPR requirement for individual consent to use an IP address, there is no mention of individual consent to use a cookie identifier.
There is a general GDPR requirement to tell users what data you are storing and using, but the GDPR repeatedly makes it clear that, "The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language" is used. Bloating the information addressed to the public with low-level technical detail is incompatible with the GDPR, so you must not say too much about cookies. Say clearly and plainly what information you are storing and how you are using it, but NOT the implementation details.
- Myth: Legitimate Interests is a box-ticking thing.
Fact: not really, it's largely about the quality and relevance of your marketing. Legitimate interests is the main alternative to consent and you do a "legitimate interests assessment" to (1) identify a legitimate interest: easy because your company needs prospects. (2) show that the processing is necessary to achieve it: again easy, and (3) balance the brand's interests vs the individual’s interests, rights and freedoms (example). Stage 3 is key and if your your marketing is good quality and relevant, so it meets the expectations of your data subjects, it is quite likely to be a "legitimate interest", unlike poor and spammy marketing which would not be. Two quotes:
Legitimate interests "may provide a legal basis for processing [i.e marketing], provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjectsbased on their relationship with the controller" and
"The interests and fundamental rights of the data subject could in particular override the interest of the data controller [preventing marketing] where personal data are processed in circumstances where data subjects do not reasonably expect further processing [i.e marketing]".
- Myth: Browse abandon needs consent.
Fact: Fact: no it doesn't - if done properly browse abandon and cart abandon emails have the same justification and don't need consent. This myth originally comes from a bad example in Direct Marketing Guidance - ICO [PDF].
This example is not how browse abandon works. No eCommerce site will make log in before browsing products.
What actually happens is that the shopper provided their email address earlier, either when they created an account, or when they went to the checkout. In either case, their intent was to deepen the relationship (start 'negotiations for a sale' to use the ICO's terminology) and there was a clear statement that their data would be used for personalization and transactional emails. (And bulk marketing emails such as newsletters if they ticked another box for these). Sometime later, the shopper browses some products, leaves and receives a browse abandon email.
Under these circumstances, the legitimate interests assessment (LIA) for browse abandon is a pass. Purpose test: marketing is a legitimate interest. Necessity test: it's the best way to help all parties. Balancing test: it's safe because the shopper's data is already held, the processing is expected, it's in the interest of all parties, and the shopper can unsubscribe or use their other GDR rights if they wish.
(Updated on 16/18/23/27 April and 8/22 May with more myths)