Simple Steps to GDPR Compliance

With all the new General Data Security Regulation (GDPR) looming, you could well be one of the many now anxiously assessing business processes and systems to ensure you don’t fall foul of the new Regulation come implementation in May 2018. Even if you’ve recently been spared working on an immediate compliance project, any new initiative within your business may include an factor of GDPR conformity. And as the deadline moves ever closer, companies will be aiming to educate their employees on the basics of the new regulation, especially those which may have usage of personal data.

The basics of GDPR

Thus what’s all the bother about and exactly how is the new law so different to the data protection instruction that it replaces? 

The first key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and telephone amounts. The Regulation applies to any form of personal data that can identify an EU citizen, including end user names and IP address. Furthermore, there is not any distinction between information held on an individual in a small business or personal capacity – it can all classified as personal data identifying someone and is therefore covered by the new Regulation.

Second, GDPR does away with the convenience of the “opt-out” currently enjoyed by many people businesses. Rather, applying the strictest of interpretations, using personal data of an EU person, requires that such approval be freely given, specific, informed and unambiguous. This requires a positive signal of agreement – it can not be inferred from stop, pre-ticked boxes or loss of focus.

It’s this scope, combined with with the strict presentation that has received marketing and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even more complicated, the law will apply not merely to newly acquired data post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed during the past, without their express approval, even giving the person an alternative to opt-out, whether now or previously, will not cover it.

Consent needs to be gathered for the actions you want to take. Getting agreement just to USE the data, in just about any form will not likely be sufficient. Any set of contacts you have or intend to buy from a 3rd party merchant could therefore become useless. Without the consent from the individuals listed for your business to use their data for the action you had planned, you won’t have the ability to employ the data.

But it can not all as bad as it seems. By first glance, GDPR appears to be it could choke business, especially online media. Yet that’s really not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, businesses will be reliant on gathering permission. However, there are two other mechanisms by which use of the info can be legal, which sometimes will support B2C activities, and will almost certainly cover most areas of B2B activity.

Leave a Reply

Your email address will not be published. Required fields are marked *