As the new approach to General Data Protection (GDPR) approaches, it may be one of the many processes and business systems that it frantically evaluates to ensure that the new system does not break in May 2018.
It has been exempted from a direct compliance project. It is likely that what is new in your business includes an element of equalizing GDPR. As the deadline approaches, companies will seek to train their employees on the fundamental aspects of the new organization, especially those with access to personal data.
So, what is all this controversy and how is the new law of the data protection directive that it replaces?
The first important distinction is one of the ranges. GDPR exceeds protection compared to the misuse of personal data, such as email addresses and phone numbers. The Regulation applies to any personal information that can be identified by an EU citizen, including user names and IP addresses. In addition, there is no distinction between the information contained in the business or the personal capabilities of a person: classified as personal information that identifies a person and, therefore, is covered by the new regulation.
Second, the gross domestic product does not work with the convenience of the “withdrawal” of many companies. On the other hand, the application of the most precise interpretation, using the personal data of a citizen of the European Union, requires that such consent is granted in a free, clear, informative and unambiguous manner. It requires a positive sign of agreement: it can not be inferred from silence, squares or inactivity.
This is the scope, along with the strict interpretation that both marketing and business leaders have had in such anarchy. That’s right. Companies must not only comply with the new law but, in case of appeal, it may also be necessary to demonstrate this obligation. To make things even more difficult, the law will apply only to newly acquired data in May 2018, but also to those that have already been preserved. So, if you have a contact database, which you have marketed freely in the past, without your explicit consent, even if you give the person the option to withdraw, now or in the past, it will not cover it.
Accept the actions you intend to take. Obtaining approval only to use the data, in any format will not be enough. Any contact list that you have or intend to buy from a third vendor may become obsolete. Without the consent of the people included in the list for your company to use your data for the action you want, you cannot use them.
But not everyone seems so bad. At first glance, it seems that GDPR could lead to drowning companies, especially online media. But this is not the intention. From a B2C perspective, there may be a mount that cannot be scaled, because most companies will rely on the collection of approval. However, two other mechanisms can be used legally, which in some cases will be compatible with B2C procedures and will almost certainly cover most areas of B2B activity.
The “contractual need” will remain a legal basis for the processing of personal data in the context of GDPR. This means that if it is necessary to use the data of the person to fulfill a contractual obligation with them or to take the steps that are requested to conclude a contractual agreement, there will be no need for additional consent. In secular terms, the use of a person’s contact data is permitted to generate and fulfill a contract.
There is also the path of the mechanism of “legitimate interests,” which remains a legal basis for the processing of personal data. The exception is when the interests of those who use the data are annulled by the interests of the subject of the affected data. It is reasonable to assume that cold communication and sending emails to legitimate business prospects, identified through the title of the job and the employer, will still be possible under the GDPR.