With the new General Data Protection Regulation (GDPR) looming, you may well be one of the many now frantically assessing business processes and systems to ensure you don’t fall foul of the new Regulation come implementation in May 2018. Even if you’ve been spared working on a direct compliance project, any new initiative within your business is likely to include an element of GDPR conformity. And as the deadline moves ever closer, companies will be seeking to train their employees on the basics of the new regulation, especially those that have access to personal data.
The basics of GDPR
So what’s all the fuss about and how is the new law so different to the data protection directive that it replaces?
The first key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and telephone numbers. The Regulation applies to any form of personal data that could identify an EU citizen, including user names and IP addresses. Furthermore, there is no distinction between information held on an individual in a business or personal capacity – it’s all classified as personal data identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the “opt-out” currently enjoyed by many businesses. Instead, applying the strictest of interpretations, using personal data of an EU citizen, requires that such consent be freely given, specific, informed and unambiguous. It requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
It’s this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even more difficult, the law will apply not just to newly acquired data post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the past, without their express consent, even giving the individual an option to opt-out, whether now or previously, won’t cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the data, in any form won’t be sufficient. Any list of contacts you have or intend to buy from a third party vendor could therefore become obsolete. Without the consent from the individuals listed for your business to use their data for the action you had intended, you won’t be able to make use of the data.
But it’s not all as bad as it seems. At first glance, GDPR looks like it could choke business, especially online media. But that’s really not the intention. From a B2C perspective, there could be quite a mountain to climb, as in most cases, businesses will be reliant on gathering consent. However, there are two other mechanisms by which use of the data can be legal, which in some cases will support B2C actions, and will almost certainly cover most areas of B2B activity.
“Contractual necessity” will remain a lawful basis for processing personal data under GDPR. This means that if it’s required that the individual’s data is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be required. In layman’s terms then, using a person’s contact details to generate a contract and fulfil it is permissible.
There is also the route of the “legitimate interests” mechanism, which remains a lawful basis for processing personal data. The exception is where the interests of those using the data are overridden by the interests of the affected data subject. It’s reasonable to assume, that cold calling and emailing legitimate business prospects, identified through their job title and employer, will still be possible under GDPR.
3 Steps to Compliance…
- Know your data! Despite the flexibility afforded by these mechanisms, especially in the context of B2B communications, it’s worth mapping out how personal data is held and accessed within your business. This process will help you uncover any compliance gaps and take steps to make necessary adjustments to your processes. Similarly, you will be looking to understand where consent is required and whether any of the personal data you currently hold already has consent for the actions you intend to take. If not, how will you go about obtaining it?
- Appoint a Data Protection Officer. This is a requirement under the new legislation, if you intend to process personal data on a regular basis. The DPO will be the central person advising the company on compliance with GDPR and will also act as the primary contact for Supervisory Authorities.
- Train your Team! Giving those with access to data adequate training on the context and implications of GDPR should help avoid a potential breach, so don’t skip this point. Data protection may be a rather dull and dry topic, but taking just a small amount of time to ensure employees are informed will be time well spent.
Finally – don’t panic! GDPR has not been put in place to stifle commerce. Instead, you as a consumer should enjoy greater protection when it comes to your personal data and hopefully, less spam!
