Easy Actions to GDPR Compliance3388257
With the new Common Data Protection Regulation (GDPR) looming, you may nicely be one of the many now frantically assessing business processes and systems to make sure you don't fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared operating on a direct compliance project, any new initiative inside your company is most likely to include an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their workers on the basics of the new regulation, particularly those that have access to individual information.
The fundamentals of GDPR
So what's all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial important distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of personal information such as email addresses and phone numbers. The Regulation applies to any type of personal information that could determine an EU citizen, including user names and IP addresses. Furthermore, there is no distinction between information held on an individual in a business or personal capacity - it is all classified as individual information identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" presently enjoyed by many companies. Instead, applying the strictest of interpretations, using individual information of an EU citizen, demands that such consent be freely offered, particular, informed and unambiguous. It demands a positive indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had advertising and company leaders alike in such a fluster. And rightly so. Not only will the company require to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even more tough, the law will apply not just to newly acquired data post Might 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the past, with out their express consent, even giving the individual an option to opt-out, whether or not now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the data, in any form won't be adequate. Any list of contacts you have or intend to buy from a third party vendor could consequently turn out to be obsolete. Without the consent from the individuals listed for your company to use their information for the action you had intended, you won't be able to make use of the information.
But it is not all as bad as it appears. At first glance, GDPR appears like it could choke business, especially online media. But that is truly not the intention. From a B2C perspective, there could be fairly a mountain to climb, as in most instances, companies will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some cases will assistance B2C actions, and will nearly certainly cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing individual information below GDPR. This means that if it is needed that the individual's data is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no additional consent will be required. In layman's terms then, using a person's contact details to generate a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal data. The exception is exactly where the interests of these utilizing the information are overridden by the interests of the impacted data subject. It is affordable to assume, that cold calling and emailing legitimate company prospects, identified via their job title and employer, will nonetheless be feasible under GDPR.