Easy Actions to GDPR Compliance8225026
With the new Common Data Protection Regulation (GDPR) looming, you might well be 1 of the many now frantically assessing business processes and systems to make sure you do not fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared working on a direct compliance project, any new initiative within your company is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, businesses will be looking for to train their workers on the fundamentals of the new regulation, especially those that have access to personal information.
The fundamentals of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The initial important distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of personal information such as email addresses and telephone numbers. The Regulation applies to any type of personal data that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction between information held on an individual in a business or personal capacity - it is all classified as individual data identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" presently enjoyed by numerous companies. Instead, applying the strictest of interpretations, utilizing individual data of an EU citizen, requires that such consent be freely offered, specific, informed and unambiguous. It requires a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had marketing and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make issues even more difficult, the law will apply not just to newly acquired data post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even giving the individual an choice to opt-out, whether now or previously, will not cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the data, in any form will not be sufficient. Any list of contacts you have or intend to buy from a third celebration vendor could consequently turn out to be obsolete. With out the consent from the individuals listed for your business to use their information for the action you had intended, you won't be in a position to make use of the data.
But it's not all as poor as it appears. At initial glance, GDPR looks like it could choke company, particularly on-line media. But that's truly not the intention. From a B2C perspective, there could be fairly a mountain to climb, as in most instances, businesses will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some instances will assistance B2C actions, and will nearly definitely cover most areas of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual data under GDPR. This indicates that if it's required that the individual's information is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, using a person's contact details to generate a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing individual information. The exception is where the interests of these utilizing the information are overridden by the interests of the affected data topic. It is reasonable to assume, that cold calling and emailing legitimate company prospects, identified through their job title and employer, will nonetheless be possible below GDPR.
