Simple Steps to GDPR Compliance9025829
With the new Common Data Protection Regulation (GDPR) looming, you may well be one of the many now frantically assessing business processes and systems to ensure you don't fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared working on a direct compliance project, any new initiative within your business is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their employees on the basics of the new regulation, particularly those that have access to individual data.
The basics of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The first key distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of individual data such as e-mail addresses and telephone numbers. The Regulation applies to any form of personal information that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction between information held on an person in a business or individual capacity - it's all classified as individual information identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" presently enjoyed by numerous businesses. Rather, applying the strictest of interpretations, using individual data of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It demands a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired information post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the past, without their express consent, even providing the individual an option to opt-out, whether or not now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Getting consent just to USE the data, in any type will not be sufficient. Any list of contacts you have or intend to buy from a third party vendor could therefore become obsolete. With out the consent from the individuals listed for your business to use their information for the action you had intended, you will not be able to make use of the data.
But it is not all as poor as it appears. At first glance, GDPR appears like it could choke company, especially on-line media. But that's truly not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most cases, businesses will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some instances will support B2C actions, and will almost certainly cover most areas of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual information under GDPR. This means that if it's needed that the individual's information is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no further consent will be needed. In layman's terms then, using a person's contact particulars to produce a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing personal data. The exception is exactly where the interests of those using the information are overridden by the interests of the impacted information topic. It's affordable to assume, that cold calling and emailing legitimate company prospects, identified through their job title and employer, will nonetheless be possible under GDPR.
