Simple Steps to GDPR Compliance9600383
With the new General Information Protection Regulation (GDPR) looming, you may well be 1 of the many now frantically assessing company processes and systems to make sure you don't fall foul of the new Regulation come implementation in May 2018. Even if you have been spared operating on a direct compliance project, any new initiative within your company is most likely to consist of an element of GDPR conformity. And as the deadline moves ever closer, companies will be seeking to train their employees on the fundamentals of the new regulation, particularly those that have access to personal information.
The basics of GDPR
So what's all the fuss about and how is the new law so various to the information protection directive that it replaces?
The initial important distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and phone numbers. The Regulation applies to any type of personal data that could identify an EU citizen, such as user names and IP addresses. Moreover, there is no distinction in between info held on an individual in a business or individual capacity - it is all classified as personal data identifying an person and is therefore covered by the new Regulation.
Secondly, GDPR does away with the comfort of the "opt-out" currently enjoyed by numerous companies. Rather, applying the strictest of interpretations, utilizing personal information of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It demands a positive indication of agreement - it cannot be inferred from silence, pre-ticked boxes or inactivity.
It's this scope, coupled with the strict interpretation that has had advertising and company leaders alike in such a fluster. And rightly so. Not only will the business require to be compliant with the new law, it might, if challenged, be required to demonstrate this compliance. To make issues even more tough, the law will apply not just to newly acquired data post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the previous, without their express consent, even providing the person an option to opt-out, whether or not now or previously, will not cover it.
Consent needs to be gathered for the actions you intend to take. Obtaining consent just to USE the data, in any type will not be sufficient. Any list of contacts you have or intend to purchase from a third celebration vendor could therefore turn out to be obsolete. With out the consent from the people listed for your company to use their information for the action you had intended, you will not be able to make use of the information.
But it's not all as bad as it seems. At first glance, GDPR looks like it could choke business, particularly online media. But that is truly not the intention. From a B2C viewpoint, there could be quite a mountain to climb, as in most cases, companies will be reliant on gathering consent. Nevertheless, there are two other mechanisms by which use of the data can be legal, which in some instances will support B2C actions, and will nearly certainly cover most areas of B2B activity.
"Contractual necessity" will stay a lawful basis for processing individual information under GDPR. This indicates that if it's required that the individual's information is utilized to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be required. In layman's terms then, using a person's contact particulars to generate a contract and fulfil it is permissible.
There is also the route of the "legitimate interests" mechanism, which remains a lawful basis for processing personal information. The exception is exactly where the interests of those using the information are overridden by the interests of the affected data subject. It's affordable to assume, that cold calling and emailing legitimate company prospects, identified via their job title and employer, will still be possible under GDPR.
