Easy Steps to GDPR Compliance6289026
With the new General Information Protection Regulation (GDPR) looming, you might nicely be one of the many now frantically assessing business processes and systems to ensure you do not fall foul of the new Regulation come implementation in May 2018. Even if you've been spared working on a direct compliance project, any new initiative inside your business is most likely to include an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their workers on the fundamentals of the new regulation, especially these that have access to individual data.
The fundamentals of GDPR
So what is all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial key distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of personal information such as e-mail addresses and phone numbers. The Regulation applies to any form of individual information that could determine an EU citizen, such as user names and IP addresses. Moreover, there is no distinction in between info held on an person in a business or personal capacity - it's all classified as individual information identifying an person and is therefore covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by numerous businesses. Rather, applying the strictest of interpretations, using personal information of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It requires a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had advertising and company leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be needed to demonstrate this compliance. To make issues even more difficult, the law will apply not just to newly acquired data post May 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even providing the person an choice to opt-out, whether or not now or previously, will not cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the information, in any type won't be sufficient. Any list of contacts you have or intend to buy from a third celebration vendor could therefore become obsolete. With out the consent from the individuals listed for your business to use their data for the action you had intended, you will not be able to make use of the data.
But it is not all as bad as it seems. At initial glance, GDPR appears like it could choke business, particularly online media. But that's truly not the intention. From a B2C viewpoint, there could be quite a mountain to climb, as in most cases, businesses will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some cases will support B2C actions, and will nearly definitely cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing personal data under GDPR. This means that if it is required that the individual's data is utilized to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be required. In layman's terms then, using a person's contact details to generate a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal information. The exception is where the interests of these using the information are overridden by the interests of the impacted information topic. It's reasonable to assume, that cold calling and emailing reputable company prospects, identified through their job title and employer, will nonetheless be feasible under GDPR.
