Disclaimer: this is informed advice but not legal advice.
More Documents about the General Data Protection Regulation (GDPR):
The reality about the GDPR: Correcting the Myths
There are a lot of unfortunate myths about the GDPR, let's try to correct some of them...
Myth: You need to make your privacy page even longer.
Fact: Exactly the opposite: long privacy pages and those using legal language are not compliant. The GDPR "requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language” be used. Keep text short enough that most people will actually read it (i.e. extremely short) and simple enough that a novice will understand. Summarize, avoid detail, use short sentences and simple words.
- Myth: Marketers need consent for everything.
Fact: Almost all first-party marketing (e.g. personalization) should be done without consent, as a “legitimate interest”. ("The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest"). Consent is needed for off-site marketing that is disruptive – recipients are likely to consider it “spam”.
- Myth: All email marketing needs consent.
Fact: B2C bulk email does need consent, but the following can often be done as a legitimate interest: B2B bulk email, if you can demonstrate that people are being contacted because of their job and not who they are. And transactional (triggered) emails where individuals are contacted as an extension of the recent “conversation” that they had with your website.
- Myth: The GDPR is about privacy.
Fact: The text only mentions privacy in one footnote, where it mentions another directive with privacy in the title. You DO need to keep data securely protected; you DON’T need to target privacy, e.g. by allowing anonymity. But you should keep using terms like “privacy page” because that’s what users expect.
- Myth: The GDPR is for EU residents.
Fact: Citizenship and residence are irrelevant. It says people “in the Union”, so holidaymakers in Europe may be protected. You should get legal advice on this issue if you think you can ignore the GDPR because you have no customers in Europe.
- Myth: Data Processor contracts can be under US Law.
Fact: “Processing by a processor shall be governed by a contract or other legal act under [European] Union or Member State law”. Non-EU Data Processors who don't yet offer contracts under EU law, please note.
- Myth: You need to report all personal data breaches and there’s a hard limit of 72 hours.
Fact: You only need to notify serious data breaches, “likely to result in a high risk to the rights and freedoms of natural persons”. The real-time limits are that you must notify data subjects “without undue delay” and inform the supervisory authority “without undue delay and, where feasible, not later than 72 hours after [your data controller was] aware of it”.
Myth: You need consent to change data processors because that will involve passing personal data to a different organization.
Fact: You don't. Here is my conversation with the ICO.
You are now chatting with ico_xxxx
Pete Austin: Hi xxxx. The question is one I'm getting asked a lot. I am acting as data controller for a website, implemented by several data processors. Under the GDPR, will I need to tell data subjects about these data processors, e.g. on my privacy page? And will I need to get consent from the data subjects to change a data processor?
ico_xxxx: Hello, you should be transparent, here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ However, you don't need individual consent to change processors.