Common GDPR myths, debunked

Noise around the threat the European General Data Protection Regulation poses to publishers, ad tech companies and marketers is getting louder as the 2018 deadline for enforcement approaches. Naturally, a flurry of “GDPR experts” — some of them helpful, others compounding the confusion — have surfaced over the last year to help businesses navigate the challenges.

Robert Streeter, News UK’s data protection and privacy officer, emphasized the importance of separating fact from fiction regarding the regulations at Rubicon Project’s Automation event in London on Sept. 6. “When you read about ‘expert’ comment on GDPR, I’d advise taking that with caution and examining your own approach to it,” he said. “There’s a lot of misinformation circulating.”

Here are some of the myths, debunked:

Myth: The biggest threat is eye-watering fines
While it’s true that companies that don’t comply with the new laws will face fines of up to 4 percent of their revenues or a maximum £17 million ($22 million), these kinds of fines will be rare, at least in the U.K. They will only be applied to companies that flout the laws or fail to notify the Information Commissioner’s Office of data-privacy breaches that “affect people’s rights and freedoms.”

The ICO has already stated it prefers “the carrot to the stick” in this case. So while it has the power to fine up to that amount, imposing huge fines will be a last resort. “It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” wrote Elizabeth Denham, the U.K.’s information commissioner, in a recent blog post. Other sanctions the ICO will use to get companies to comply: warnings, reprimands, corrective orders. These many not hit organizations’ pockets, but they won’t do the companies’ reputations and public perception any good, she added.

Myth: ‘Consent’ is the only way to process data
The GDPR’s more stringent rules around companies obtaining explicit consent for collecting and processing customer data have caused a fair amount of hand-wringing across the ad market. The new array of adjectives used to describe different forms of consumer consent — “explicit,” “unambiguous,” “informed” — are enough to make hearts race. But as with most things, there are more ways to skin a cat. “Consent is the most viable and perhaps only option when it comes to some aspects of collecting and using personal data for digital advertising purposes. But, importantly, there are other ways, which may work for other aspects of data use,” said Yves Schwarzbart, head of policy and regulatory affairs at the Internet Advertising Bureau. So, it’s advisable not to just wait until the ICO gives guidance on consent. In fact, there are six other ways the GDPR allows for personal data to be processed, added Schwarzbart.

For example, before ascertaining what legal basis they have to process the data, companies need to know what partners they’re working with, and where and how the data is shared and traded by those partners, said Nick Stringer, public policy consultant at Entropy Data. They should also look into whether they need to appoint a data protection officer that will help establish a compliance map, he added. That’s what News UK is now doing. “We’re looking at how to get a sense of collecting user information and how the various third parties we’re working with are using it, further down the chain,” Streeter said.

Myth: GDPR is a Europe-only issue
Far from being some typically bureaucratic issue that applies to the 28 members of the EU (including the U.K., as Brexit won’t affect its compliance), GDPR will affect any American company that offers goods or services to consumers in the EU or monitors the behavior of people located in Europe, regardless of where their offices or ad servers are based.

Myth: GDPR is limited to personally identifiable information
GDPR won’t be restricted to collecting sensitive data relating to individuals. Personal data under GDPR applies to IP addresses and cookie tracking, too. “Traditionally, the digital ad sector treated cookies and IP addresses as anonymous, but now, that’s no longer the case,” said Stringer. “People are using language they’re used to, like PII and non-PII, which is confusing things. It’s important people treat non-PII as personal data, too.”

Myth: Google and Facebook will benefit 
While numerous articles have been written detailing how Facebook and Google stand to gain from the data-privacy laws, not everyone believes that to be true. “In terms of revenue, Facebook and Google have the most risk tied to raising the bar on consumer privacy in the EU,” said Jason Kint, CEO of Digital Content Next. “Anyone who believes their lobbyists’ myth that privacy regulation will only help Google and Facebook is having the wool pulled over their eyes.”