Simple Actions to GDPR Compliance2538828
With the new General Information Protection Regulation (GDPR) looming, you might well be one of the numerous now frantically assessing company processes and systems to make sure you do not fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared operating on a direct compliance project, any new initiative inside your company is likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their workers on the fundamentals of the new regulation, especially these that have access to individual data.
The basics of GDPR
So what is all the fuss about and how is the new law so different to the data protection directive that it replaces?
The initial important distinction is one of scope. GDPR goes beyond safeguarding against the misuse of individual data such as email addresses and telephone numbers. The Regulation applies to any form of personal data that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction in between info held on an individual in a business or personal capacity - it's all classified as personal information identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" presently enjoyed by many companies. Instead, applying the strictest of interpretations, using personal data of an EU citizen, demands that such consent be freely offered, particular, informed and unambiguous. It demands a good indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had advertising and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it might, if challenged, be needed to demonstrate this compliance. To make things even much more difficult, the law will apply not just to newly acquired information post Might 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even providing the person an option to opt-out, whether or not now or previously, won't cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the information, in any type won't be sufficient. Any list of contacts you have or intend to purchase from a third celebration vendor could therefore become obsolete. With out the consent from the people listed for your company to use their data for the action you had intended, you won't be able to make use of the information.
But it is not all as poor as it seems. At initial glance, GDPR appears like it could choke company, especially online media. But that is really not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most instances, companies will be reliant on gathering consent. However, there are two other mechanisms by which use of the information can be legal, which in some instances will support B2C actions, and will nearly certainly cover most locations of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual information below GDPR. This indicates that if it is required that the individual's information is utilized to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, utilizing a person's contact details to produce a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal data. The exception is where the interests of these using the information are overridden by the interests of the impacted information topic. It is reasonable to assume, that cold calling and emailing legitimate business prospects, identified via their job title and employer, will nonetheless be feasible under GDPR.
