Simple Steps to GDPR Compliance2170994
With the new Common Information Protection Regulation (GDPR) looming, you might nicely be 1 of the many now frantically assessing business processes and systems to ensure you do not fall foul of the new Regulation come implementation in May 2018. Even if you have been spared working on a direct compliance project, any new initiative within your business is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be seeking to train their workers on the fundamentals of the new regulation, especially those that have access to individual data.
The fundamentals of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The initial important distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal information such as email addresses and phone numbers. The Regulation applies to any type of individual information that could determine an EU citizen, such as user names and IP addresses. Furthermore, there is no distinction between information held on an individual in a company or individual capacity - it is all classified as individual data identifying an person and is consequently covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" currently enjoyed by many businesses. Instead, applying the strictest of interpretations, using individual data of an EU citizen, demands that such consent be freely given, particular, informed and unambiguous. It demands a good indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the company require to be compliant with the new law, it might, if challenged, be required to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired information post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the past, with out their express consent, even giving the person an option to opt-out, whether or not now or previously, won't cover it.
Consent needs to be gathered for the actions you intend to take. Obtaining consent just to USE the information, in any form will not be adequate. Any list of contacts you have or intend to buy from a third party vendor could consequently turn out to be obsolete. Without the consent from the people listed for your company to use their data for the action you had intended, you will not be in a position to make use of the information.
But it's not all as poor as it appears. At first glance, GDPR appears like it could choke business, especially online media. But that's really not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, companies will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some cases will assistance B2C actions, and will nearly certainly cover most locations of B2B activity.
"Contractual necessity" will stay a lawful basis for processing personal information below GDPR. This indicates that if it's needed that the individual's information is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no additional consent will be required. In layman's terms then, utilizing a person's contact particulars to produce a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing individual information. The exception is exactly where the interests of those using the data are overridden by the interests of the affected data topic. It's reasonable to assume, that cold calling and emailing legitimate business prospects, identified through their job title and employer, will nonetheless be possible under GDPR.
