Simple Actions to GDPR Compliance595812
With the new General Data Protection Regulation (GDPR) looming, you may well be one of the numerous now frantically assessing business processes and systems to make sure you do not fall foul of the new Regulation come implementation in May 2018. Even if you have been spared working on a direct compliance project, any new initiative within your business is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their employees on the fundamentals of the new regulation, particularly those that have access to personal information.
The basics of GDPR
So what is all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal information such as email addresses and telephone numbers. The Regulation applies to any form of personal information that could determine an EU citizen, such as user names and IP addresses. Moreover, there is no distinction between info held on an person in a business or personal capacity - it is all classified as personal data identifying an person and is consequently covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" presently enjoyed by many businesses. Rather, applying the strictest of interpretations, using personal data of an EU citizen, demands that such consent be freely offered, particular, informed and unambiguous. It requires a good indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had advertising and business leaders alike in such a fluster. And rightly so. Not only will the company need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make issues even more difficult, the law will apply not just to newly acquired data post Might 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even giving the individual an option to opt-out, whether or not now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Getting consent just to USE the data, in any form won't be sufficient. Any list of contacts you have or intend to buy from a third celebration vendor could therefore turn out to be obsolete. Without the consent from the individuals listed for your company to use their information for the action you had intended, you will not be in a position to make use of the data.
But it is not all as poor as it seems. At first glance, GDPR looks like it could choke business, especially on-line media. But that's truly not the intention. From a B2C viewpoint, there could be quite a mountain to climb, as in most instances, businesses will be reliant on gathering consent. However, there are two other mechanisms by which use of the data can be legal, which in some cases will support B2C actions, and will almost definitely cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing personal data below GDPR. This indicates that if it's required that the individual's data is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no additional consent will be required. In layman's terms then, utilizing a person's get in touch with particulars to generate a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing personal data. The exception is exactly where the interests of those using the data are overridden by the interests of the impacted information subject. It's affordable to assume, that cold calling and emailing reputable company prospects, identified through their job title and employer, will still be possible under GDPR.
