Why You Need to Pay Attention to GDPR compliance
Approaching the new General Data Protection Regulation (GDPR), effective from May 2018, companies based in Europe or having personal data of people residing in Europe, are struggling to find their most valuable assets in the organization – their sensitive data.
The new regulation requires organizations to prevent any data breach of personally identifiable information (PII) and to delete any data if some individual requests to do so. After eliminating all PII data, companies must demonstrate that they have completely withdrawn from this person and the authorities.
Most companies now understand their obligation to demonstrate responsibility and compliance and, therefore, began to prepare for the new regulation. There is so much information on how you can protect your confidential data, so much that you may feel overwhelmed and point in different directions, hoping to identify your goal. If you plan your data governance in advance, you can meet the deadline and avoid penalties.
Some companies, especially banks, insurance companies and manufacturers, have huge amounts of data, since they produce data by changing, storing and sharing files at an accelerated rate and therefore generate terabytes and even petabytes of data. The difficulty for this type of company is to find their confidential data in millions of files, in structured and unstructured data, which unfortunately is impossible in most cases.
Why GDPR is so important and requires your attention?
The first key distinction is one of scope. GDPR goes beyond safeguarding against the misuse of personal data such as email addresses and telephone numbers. The Regulation applies to any form of personal data that could identify an EU citizen, including user names and IP addresses. Furthermore, there is no distinction between information held on an individual in a business or personal capacity – it’s all classified as personal data identifying an individual and is therefore covered by the new Regulation.
Secondly, GDPR does away with the convenience of the “opt-out” currently enjoyed by many businesses. In contrast, the application of the most rigorous interpretation, using personal data of an EU citizen, requires that such consent be clear, specific, informed and clear. It requires a positive sign of agreement: can not be concluded from silences, check boxes or inactivity.
It’s this scope, coupled with the strict interpretation that has had marketing and business leaders alike in such a fluster. And rightly so. Not only will the business need to be compliant with the new law, it may, if challenged, be required to demonstrate this compliance. To make things even more difficult, the law will apply not just to newly acquired data post May 2018, but also to that already held. So if you have a database of contacts, to whom you have freely marketed in the past, without their express consent, even giving the individual an option to opt-out, whether now or previously, won’t cover it.
Consent needs to be gathered for the actions you intend to take. Getting consent just to USE the data, in any form won’t be sufficient. Any list of contacts you have or intend to buy from a third party vendor could therefore become obsolete. Without the consent from the individuals listed for your business to use their data for the action you had intended, you won’t be able to make use of the data.
But it’s not all as bad as it seems. At first glance, it seems that the GDPR could stifle business, especially online media. But that is not really the intention. From the point of view of B2C, there could well be a mountain to climb, since companies in most cases rely on their approval. However, there are two other mechanisms by which use of the data can be legal, which in some cases will support B2C actions, and will almost certainly cover most areas of B2B activity.
“Contractual necessity” will remain a lawful basis for processing personal data under GDPR. This means that if it’s required that the individual’s data is used to fulfil a contractual obligation with them or take steps at their request to enter into a contractual agreement, no further consent will be required. In layman’s terms then, using a person’s contact details to generate a contract and fulfil it is permissible.
There is also the route of the “legitimate interests” mechanism, which remains a lawful basis for processing personal data. The exception is where the interests of those using the data are overridden by the interests of the affected data subject. It’s reasonable to assume, that cold calling and emailing legitimate business prospects, identified through their job title and employer, will still be possible under GDPR.
Steps to GDPR compliance
- Know your data! Despite the flexibility afforded by these mechanisms, especially in the context of B2B communications, it’s worth mapping out how personal data is held and accessed within your business. This process will help you uncover any compliance gaps and take steps to make necessary adjustments to your processes. Similarly, you will be looking to understand where consent is required and whether any of the personal data you currently hold already has consent for the actions you intend to take. If not, how will you go about obtaining it?
- Appoint a Data Protection Officer. This is a requirement under the new legislation, if you intend to process personal data on a regular basis. The DPO will be the central person advising the company on compliance with GDPR and will also act as the primary contact for Supervisory Authorities.
- Train your Team! Giving those with access to data adequate training on the context and implications of GDPR should help avoid a potential breach, so don’t skip this point. Data protection may be a rather dull and dry topic, but taking just a small amount of time to ensure employees are informed will be time well spent.
Finally – don’t panic! GDPR has not been put in place to stifle commerce. Instead, you as a consumer should enjoy greater protection when it comes to your personal data and hopefully, less spam!