Easy Actions to GDPR Compliance9142251
With the new General Data Protection Regulation (GDPR) looming, you might nicely be 1 of the numerous now frantically assessing business processes and systems to ensure you don't fall foul of the new Regulation come implementation in Might 2018. Even if you have been spared working on a direct compliance project, any new initiative within your business is likely to include an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their employees on the basics of the new regulation, especially those that have access to individual information.
The basics of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The initial important distinction is 1 of scope. GDPR goes beyond safeguarding against the misuse of individual information such as e-mail addresses and telephone numbers. The Regulation applies to any type of personal information that could determine an EU citizen, including user names and IP addresses. Moreover, there is no distinction between info held on an individual in a business or personal capacity - it's all classified as personal data identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by many businesses. Rather, applying the strictest of interpretations, utilizing personal data of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It demands a good indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had advertising and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it might, if challenged, be required to demonstrate this compliance. To make issues even more difficult, the law will apply not just to newly acquired data post May 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even providing the individual an choice to opt-out, whether now or previously, won't cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the information, in any form won't be adequate. Any list of contacts you have or intend to buy from a third celebration vendor could therefore turn out to be obsolete. With out the consent from the individuals listed for your business to use their information for the action you had intended, you won't be in a position to make use of the information.
But it is not all as bad as it seems. At first glance, GDPR looks like it could choke business, particularly online media. But that is really not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most instances, companies will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some cases will support B2C actions, and will almost definitely cover most areas of B2B activity.
"Contractual necessity" will remain a lawful basis for processing individual information below GDPR. This means that if it's needed that the individual's information is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no further consent will be required. In layman's terms then, utilizing a person's get in touch with details to generate a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing individual information. The exception is where the interests of those utilizing the information are overridden by the interests of the impacted information topic. It's reasonable to assume, that cold calling and emailing legitimate business prospects, identified through their job title and employer, will nonetheless be feasible below GDPR.
