Simple Actions to GDPR Compliance326496
With the new Common Data Protection Regulation (GDPR) looming, you may well be 1 of the numerous now frantically assessing business processes and systems to make sure you don't fall foul of the new Regulation come implementation in Might 2018. Even if you've been spared operating on a direct compliance project, any new initiative inside your business is likely to include an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their employees on the fundamentals of the new regulation, especially these that have access to individual information.
The fundamentals of GDPR
So what is all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial important distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of personal information such as e-mail addresses and telephone numbers. The Regulation applies to any type of individual data that could determine an EU citizen, including user names and IP addresses. Furthermore, there is no distinction in between information held on an individual in a company or personal capacity - it's all classified as personal information identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" presently enjoyed by many companies. Instead, applying the strictest of interpretations, using personal data of an EU citizen, demands that such consent be freely given, specific, informed and unambiguous. It demands a good indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had advertising and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired data post Might 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the past, with out their express consent, even giving the individual an option to opt-out, whether or not now or previously, will not cover it.
Consent needs to be gathered for the actions you intend to take. Obtaining consent just to USE the data, in any type won't be sufficient. Any list of contacts you have or intend to buy from a third celebration vendor could therefore turn out to be obsolete. With out the consent from the individuals listed for your business to use their data for the action you had intended, you will not be able to make use of the data.
But it's not all as bad as it appears. At initial glance, GDPR appears like it could choke company, particularly online media. But that is really not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, businesses will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some cases will assistance B2C actions, and will almost definitely cover most locations of B2B activity.
"Contractual necessity" will remain a lawful basis for processing personal data under GDPR. This indicates that if it's needed that the individual's data is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, using a person's get in touch with details to produce a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing personal information. The exception is exactly where the interests of those using the information are overridden by the interests of the affected data topic. It's reasonable to assume, that cold calling and emailing legitimate business prospects, identified through their job title and employer, will nonetheless be possible under GDPR.
