Simple Steps to GDPR Compliance7480947
With the new Common Data Protection Regulation (GDPR) looming, you might well be 1 of the many now frantically assessing business processes and systems to ensure you don't fall foul of the new Regulation come implementation in Might 2018. Even if you've been spared operating on a direct compliance project, any new initiative inside your company is likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be seeking to train their employees on the fundamentals of the new regulation, particularly these that have access to personal data.
The basics of GDPR
So what is all the fuss about and how is the new law so various to the data protection directive that it replaces?
The first key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of individual data such as e-mail addresses and telephone numbers. The Regulation applies to any form of personal information that could determine an EU citizen, including user names and IP addresses. Moreover, there is no distinction in between info held on an person in a business or individual capacity - it's all classified as individual data identifying an individual and is consequently covered by the new Regulation.
Secondly, GDPR does away with the convenience of the "opt-out" currently enjoyed by numerous companies. Instead, applying the strictest of interpretations, using personal data of an EU citizen, demands that such consent be freely given, particular, informed and unambiguous. It demands a positive indication of agreement - it can't be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had marketing and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it might, if challenged, be required to demonstrate this compliance. To make things even much more tough, the law will apply not just to newly acquired data post Might 2018, but also to that currently held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even providing the person an option to opt-out, whether or not now or previously, will not cover it.
Consent requirements to be gathered for the actions you intend to take. Obtaining consent just to USE the information, in any form won't be sufficient. Any list of contacts you have or intend to purchase from a third party vendor could therefore turn out to be obsolete. With out the consent from the people listed for your company to use their information for the action you had intended, you won't be able to make use of the information.
But it is not all as poor as it appears. At first glance, GDPR appears like it could choke business, especially on-line media. But that's truly not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, companies will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some cases will support B2C actions, and will almost definitely cover most areas of B2B activity.
"Contractual necessity" will remain a lawful basis for processing personal data under GDPR. This means that if it is needed that the individual's data is utilized to fulfil a contractual obligation with them or take actions at their request to enter into a contractual agreement, no additional consent will be needed. In layman's terms then, utilizing a person's contact particulars to produce a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal data. The exception is where the interests of these utilizing the information are overridden by the interests of the affected data topic. It's reasonable to assume, that cold calling and emailing legitimate company prospects, identified via their job title and employer, will still be feasible under GDPR.
