Easy Steps to GDPR Compliance1643551
With the new Common Information Protection Regulation (GDPR) looming, you might nicely be one of the many now frantically assessing company processes and systems to make sure you do not fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared operating on a direct compliance project, any new initiative inside your business is likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their workers on the basics of the new regulation, particularly these that have access to personal information.
The basics of GDPR
So what's all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial key distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and phone numbers. The Regulation applies to any type of individual information that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction in between info held on an person in a business or individual capacity - it is all classified as individual data identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by numerous businesses. Instead, applying the strictest of interpretations, utilizing individual information of an EU citizen, demands that such consent be freely given, specific, informed and unambiguous. It requires a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had advertising and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be needed to demonstrate this compliance. To make issues even much more difficult, the law will apply not just to newly acquired data post Might 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even giving the person an option to opt-out, whether now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the data, in any form won't be adequate. Any list of contacts you have or intend to purchase from a third celebration vendor could consequently become obsolete. With out the consent from the individuals listed for your business to use their information for the action you had intended, you will not be able to make use of the information.
But it's not all as poor as it seems. At initial glance, GDPR looks like it could choke business, especially on-line media. But that is truly not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, companies will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some cases will support B2C actions, and will almost certainly cover most locations of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual data below GDPR. This means that if it is needed that the individual's data is utilized to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, utilizing a person's contact details to generate a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing individual information. The exception is where the interests of those utilizing the data are overridden by the interests of the impacted information subject. It is reasonable to assume, that cold calling and emailing reputable business prospects, identified via their job title and employer, will still be feasible under GDPR.
