Here are the myths we busted – and the steps you can take to avoid being penalized by regulators.
1. “GDPR only applies in the EU.”
The European Union’s General Data Protection Regulation (GDPR) laws are widely considered to be the gold standard in data privacy around the world, and many organizations have paid the price for falling foul of them. However, they are not always very well-understood.
One of the biggest misconceptions is that GDPR laws only apply in EU territories and that schools and organizations based outside the EU do not need to adhere to them.
This is completely false.
The truth is that GDPR laws apply to organizations anywhere in the world that are collecting data for business use – i.e. not personal or household reasons – as long as that data pertains to someone who is in the EU.
This doesn’t just apply to your outbound activities, such as newsletter marketing to prospective students in the EU and UK, but also to your on-site data capture. For instance, if you have a lead generation form on your website that can be accessed by EU citizens, that form needs to comply with GDPR regulations.
GDPR is formidable, and it’s not the only regulation you need to worry about. Since GDPR came into effect in 2018, more regions have followed suit, with US states including California and Virginia enacting their own data privacy laws. It’s increasingly important to understand your obligation to your users, and GDPR is a useful place to start.
2. “Only data that can directly identify a user is protected.”
The second myth debunked during the webinar was about the nature of protected information.
It is generally understood that personal data includes directly identifying information like a person’s name, address, phone number, or email. However, it is less well-known that indirect information is also protected.
What is indirect information?
Indirect information refers to information that could identify a user if you combined it with information that could reasonably be gleaned from another source.
A common example is a license plate number – on its own, it may be anonymous, but there are third parties who would be able to connect that number with a name.
In a B-school context, indirect data might include things like employment and education information, and you have a duty to protect it.
3. “All we need to be compliant is an opt-in feature on our website.”
We are all familiar with the opt-in feature for cookies on most websites, but data compliance is more than just a box-ticking exercise for you and your users.
Not only do users have a right to opt-out of having their data processed – for instance, not signing up to a newsletter – but users who have previously opted into your tracking have the right to control the data you hold on them.
This includes the right to access their data, and know the purposes for which it is being stored; to correct inaccurate personal data; to erase all personal data you hold on them if at any time they withdraw their consent; to restrict data processing; to receive the data you hold on them in a structured format, and to stop the processing of their personal data at any time.
In practice, this means having a privacy policy available on your website, clear routes for your users to contact you about their data, and efficient processes in place to deal with their requests.
4. “Once we’re compliant, we can stop thinking about data privacy.”
If you’ve already added a GDPR-compliant opt-in and a privacy policy to your website, you may think you’re in the clear. But particularly where marketing is concerned, that’s not true.
The shake-ups to online data privacy laws in the last few years are not over. Most privacy discussions up to now have focused on browser cookies and the individual targeting and re-targeting that they allow through Google Ads and Analytics.
However, Google recently announced that they will be abandoning the individual cookie model to move towards interest-based tracking.
This has huge implications for business school marketers, as Google’s proposed plan only includes around 350 interest groups, which many worry will be too broad to effectively market to subset audiences. Where previously you might have been able to target individuals with an interest in MBA programs specifically, under the new system you might be marketing to a general “education” bracket.
The result has so far been a shift towards more traditional ad purchasing. New ad formats are emerging, with greater emphasis on landing pages and sign-up opportunities, all of which mean more responsibility when it comes to data control and processing.
It’s a daunting prospect, but with compliant marketing partners like GMAC Connect on your side, you won't be intimidated. GMAC has stopped working with ad exchanges and networks completely to sell ad space directly to clients based on our own knowledge of our audience.
This means access to the audiences of sites like BusinessBecause, which is fully GDPR compliant and also the fastest-growing website in GME, without concerns about data non-compliance.
5. “Only big organizations get caught out by data compliance.”
Finally, you may think that you’re beneath the notice of data regulators because you’re not a multi-national corporation like Facebook or Apple, but that’s not true.
The majority of GDPR fines in the public and education sectors are related to not having a good enough reason to process data, and insufficient technical and organizational measures to manage requests from users.
You must always mitigate for the mischievous users and organizations who are on the lookout for non-compliance and will take the opportunity to catch you out.
Working with experienced marketing partners like GMAC Connect is key. To find out more about what data privacy means to B-school marketers, log into your free GMAC account and watch the webinar recording.