Here are 9 misconceptions about GDPR
Small businesses are exempt. US-only companies are not at risk. ‘Legitimate interest’ allows marketing without consent. And other myths.
The upcoming General Data Protection Regulation (GDPR) is confusing enough without having to be weighed down by misconceptions.
So, here is a list of the top misconceptions about GDPR, according to two experts: Gary Southwell, VP/general manager of the cybersecurity division of security firm CSPi, and Kristina Podman, a digital policy consultant (who also consults for us, Third Door Media).
Misconception #1: ‘Legitimate interest’ allows marketing uses of personal data without user consent. While there is a “legitimate interest” exception in GDPR, it is always weighed against personal data rights. Podman said a company could, for instance, utilize data without consent under legitimate interest if it were under court order to do so, or if the data were needed to protect some vital interest like human rights, or if I needed your Social Security number after you’d already agreed to buy a car. But otherwise, consent is needed, and it’s not enough that a user has agreed to receive marketing info.