2018 is here, which means time is running out to prepare for the EU General Data Protection Regulation. The 25th May deadline is starting to feel very close, and in part two of this three-part blog series, NW Security Group (formerly known as NW Security Group) highlights one of the most hotly debated aspects of the new legislation that will help businesses across the region ensure compliance: has the data owner consented to having their Personally Identifiable Information (PII) stored and processed?
Perhaps the greatest change to the new EU GDPR compared to the outgoing Data Protection Act is the strict approach to user consent. As the proliferation of connected systems and technologies accelerates the magnitude of personal data that is processed and stored, ensuring PII is used on a lawful basis is vital to achieve compliance with the new legislation.
A lawful basis for storing data
All businesses must have a lawful basis to store PII. This could be explicit consent; contractual reasons (i.e. company employees); for compliance with companies’ legal obligations; to safeguard the interest of data subjects; or for legitimate interest. Where the lawful basis for storing the data is by consent, it must be freely given and be explicit in nature. For marketing departments, consent could be obtained by clicking a clearly labelled opt-in box, for example. An organisation will need to achieve this consent for each purpose that the data will be used. Once consent is given for a specific lawful use, this cannot be swapped for another purpose without further consent.
Updating a company’s privacy notice would be an effective way to ensure the lawful basis for processing data is identified and documented. The new rules are set to have a great impact on marketing teams in particular, as any consent given must also be necessary, and cannot be used as a quid pro quo for access to certain services. For example, providing a free service such as a mobile app in exchange for access to email addresses will no longer be viewed as valid consent.
Furthermore, PII stored for other marketing purposes should be kept with the consent of the data owner, and the consent must be valid and up-to-date. While this may sound like a daunting prospect, complying with the GDPR in this manner presents the perfect opportunity for businesses to clean up their databases and ensure that consent to store and process PII is gained going forward.
There are severe consequences for non-compliance with the EU GDPR, which could be especially damaging for smaller businesses. There are, however, experts in the field of GDPR readiness that can offer the guidance required to help your business overhaul its stored PII and avoid fines by implementing best-practice measures for data security. NW Security Group can help your business prepare for the new regulations by conducting an Organisational Readiness Assessment which will produce a clear and actionable road map to compliance. Learn more about our EU GDPR Awareness Training.