Easy Steps to GDPR Compliance3464885
With the new General Information Protection Regulation (GDPR) looming, you may well be 1 of the numerous now frantically assessing company processes and systems to ensure you don't fall foul of the new Regulation come implementation in May 2018. Even if you have been spared working on a direct compliance project, any new initiative within your business is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, businesses will be looking for to train their employees on the fundamentals of the new regulation, particularly these that have access to personal data.
The basics of GDPR
So what is all the fuss about and how is the new law so various to the information protection directive that it replaces?
The initial key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as e-mail addresses and phone numbers. The Regulation applies to any form of personal data that could determine an EU citizen, such as user names and IP addresses. Furthermore, there is no distinction in between information held on an person in a business or individual capacity - it's all classified as individual data identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" currently enjoyed by many companies. Rather, applying the strictest of interpretations, utilizing individual data of an EU citizen, requires that such consent be freely offered, specific, informed and unambiguous. It requires a good indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the company require to be compliant with the new law, it may, if challenged, be needed to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired information post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the past, with out their express consent, even providing the person an option to opt-out, whether now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the information, in any form will not be adequate. Any list of contacts you have or intend to buy from a third party vendor could therefore turn out to be obsolete. With out the consent from the individuals listed for your company to use their information for the action you had intended, you will not be in a position to make use of the information.
But it's not all as poor as it appears. At initial glance, GDPR looks like it could choke business, particularly on-line media. But that is really not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most instances, companies will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the information can be legal, which in some instances will support B2C actions, and will nearly certainly cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing individual data under GDPR. This indicates that if it's needed that the individual's information is used to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, utilizing a person's get in touch with details to produce a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal data. The exception is where the interests of these using the information are overridden by the interests of the impacted data topic. It is reasonable to assume, that cold calling and emailing legitimate business prospects, identified via their job title and employer, will nonetheless be possible below GDPR.
