Easy Steps to GDPR Compliance9735733
With the new General Data Protection Regulation (GDPR) looming, you may nicely be 1 of the many now frantically assessing business processes and systems to make sure you do not fall foul of the new Regulation come implementation in May 2018. Even if you've been spared working on a direct compliance project, any new initiative within your company is most likely to include an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their employees on the basics of the new regulation, particularly those that have access to individual data.
The fundamentals of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The first key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal information such as email addresses and telephone numbers. The Regulation applies to any type of individual data that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction between information held on an individual in a business or personal capacity - it is all classified as individual data identifying an person and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by many companies. Rather, applying the strictest of interpretations, utilizing individual information of an EU citizen, demands that such consent be freely offered, specific, informed and unambiguous. It demands a positive indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the company require to be compliant with the new law, it might, if challenged, be needed to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired data post Might 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even providing the person an choice to opt-out, whether or not now or previously, will not cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the information, in any form won't be sufficient. Any list of contacts you have or intend to purchase from a third celebration vendor could consequently become obsolete. Without the consent from the people listed for your company to use their data for the action you had intended, you won't be in a position to make use of the data.
But it's not all as bad as it appears. At first glance, GDPR appears like it could choke company, particularly online media. But that is really not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most instances, businesses will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some instances will support B2C actions, and will nearly definitely cover most locations of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual information under GDPR. This means that if it is required that the individual's information is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no additional consent will be required. In layman's terms then, using a person's get in touch with details to produce a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal information. The exception is exactly where the interests of those using the data are overridden by the interests of the impacted information subject. It is affordable to assume, that cold calling and emailing reputable business prospects, identified through their job title and employer, will nonetheless be feasible below GDPR.
