Simple Steps to GDPR Compliance4356468
With the new Common Data Protection Regulation (GDPR) looming, you may well be one of the many now frantically assessing business processes and systems to ensure you do not fall foul of the new Regulation come implementation in May 2018. Even if you've been spared working on a direct compliance project, any new initiative within your business is most likely to include an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their workers on the basics of the new regulation, especially those that have access to individual information.
The basics of GDPR
So what is all the fuss about and how is the new law so different to the information protection directive that it replaces?
The initial important distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as e-mail addresses and phone numbers. The Regulation applies to any form of personal data that could determine an EU citizen, including user names and IP addresses. Furthermore, there is no distinction between information held on an person in a company or personal capacity - it is all classified as personal data identifying an person and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" currently enjoyed by many businesses. Instead, applying the strictest of interpretations, utilizing individual information of an EU citizen, demands that such consent be freely offered, particular, informed and unambiguous. It demands a good indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make issues even much more tough, the law will apply not just to newly acquired information post Might 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even providing the individual an choice to opt-out, whether or not now or previously, will not cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the information, in any form won't be adequate. Any list of contacts you have or intend to purchase from a third party vendor could therefore become obsolete. With out the consent from the people listed for your company to use their information for the action you had intended, you will not be in a position to make use of the data.
But it is not all as bad as it appears. At first glance, GDPR looks like it could choke company, especially on-line media. But that is truly not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most cases, companies will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the information can be legal, which in some instances will support B2C actions, and will almost certainly cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing personal information below GDPR. This indicates that if it's required that the individual's data is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no additional consent will be needed. In layman's terms then, utilizing a person's contact details to generate a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing individual information. The exception is exactly where the interests of these utilizing the data are overridden by the interests of the impacted information topic. It is reasonable to assume, that cold calling and emailing reputable company prospects, identified via their job title and employer, will nonetheless be possible below GDPR.
