Simple Steps to GDPR Compliance4832926
With the new General Information Protection Regulation (GDPR) looming, you may well be 1 of the many now frantically assessing business processes and systems to make sure you do not fall foul of the new Regulation come implementation in May 2018. Even if you have been spared operating on a direct compliance project, any new initiative within your company is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, businesses will be seeking to train their workers on the fundamentals of the new regulation, particularly these that have access to personal information.
The fundamentals of GDPR
So what is all the fuss about and how is the new law so various to the data protection directive that it replaces?
The initial key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of individual data such as e-mail addresses and phone numbers. The Regulation applies to any type of personal data that could identify an EU citizen, including user names and IP addresses. Moreover, there is no distinction in between information held on an person in a company or individual capacity - it is all classified as individual information identifying an person and is therefore covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by numerous companies. Rather, applying the strictest of interpretations, using individual data of an EU citizen, demands that such consent be freely given, specific, informed and unambiguous. It demands a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It is this scope, coupled with the strict interpretation that has had marketing and company leaders alike in such a fluster. And rightly so. Not only will the company need to be compliant with the new law, it may, if challenged, be needed to demonstrate this compliance. To make issues even much more tough, the law will apply not just to newly acquired information post Might 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, with out their express consent, even giving the individual an option to opt-out, whether now or previously, won't cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the information, in any type won't be adequate. Any list of contacts you have or intend to purchase from a third celebration vendor could therefore turn out to be obsolete. Without the consent from the individuals listed for your business to use their information for the action you had intended, you won't be able to make use of the data.
But it is not all as poor as it seems. At first glance, GDPR looks like it could choke company, particularly on-line media. But that is truly not the intention. From a B2C viewpoint, there could be fairly a mountain to climb, as in most instances, businesses will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some instances will assistance B2C actions, and will nearly definitely cover most locations of B2B activity.
"Contractual necessity" will stay a lawful basis for processing personal information under GDPR. This means that if it is needed that the individual's information is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no additional consent will be needed. In layman's terms then, using a person's contact particulars to produce a contract and fulfil it is permissible.
There is also the route of the "reputable interests" mechanism, which remains a lawful basis for processing personal information. The exception is where the interests of those using the data are overridden by the interests of the impacted data topic. It is reasonable to assume, that cold calling and emailing reputable business prospects, identified through their job title and employer, will nonetheless be feasible under GDPR.
