Simple Actions to GDPR Compliance6340733
With the new Common Information Protection Regulation (GDPR) looming, you might nicely be 1 of the numerous now frantically assessing company processes and systems to ensure you do not fall foul of the new Regulation come implementation in May 2018. Even if you've been spared working on a direct compliance project, any new initiative within your business is likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be looking for to train their employees on the basics of the new regulation, especially those that have access to personal information.
The fundamentals of GDPR
So what's all the fuss about and how is the new law so different to the information protection directive that it replaces?
The initial key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and telephone numbers. The Regulation applies to any form of individual data that could determine an EU citizen, such as user names and IP addresses. Moreover, there is no distinction between info held on an individual in a company or individual capacity - it's all classified as individual information identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" presently enjoyed by many businesses. Instead, applying the strictest of interpretations, utilizing personal information of an EU citizen, requires that such consent be freely offered, specific, informed and unambiguous. It demands a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and company leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even more difficult, the law will apply not just to newly acquired information post May 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even giving the person an choice to opt-out, whether now or previously, will not cover it.
Consent requirements to be gathered for the actions you intend to take. Getting consent just to USE the information, in any form won't be adequate. Any list of contacts you have or intend to buy from a third party vendor could therefore become obsolete. Without the consent from the individuals listed for your business to use their data for the action you had intended, you will not be in a position to make use of the data.
But it is not all as poor as it appears. At first glance, GDPR appears like it could choke business, particularly online media. But that is truly not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most cases, businesses will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some instances will support B2C actions, and will almost certainly cover most locations of B2B activity.
"Contractual necessity" will stay a lawful basis for processing individual data below GDPR. This means that if it's needed that the individual's data is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be required. In layman's terms then, utilizing a person's get in touch with particulars to produce a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing personal information. The exception is where the interests of these using the information are overridden by the interests of the affected information topic. It is affordable to assume, that cold calling and emailing reputable company prospects, identified through their job title and employer, will still be feasible under GDPR.
