When the General Data Protection Regulation hits in around three months’ time, a new era of data security will dawn for all firms that process with the personal information of EU citizens.
This means the GDPR’s reach will be truly global, obliging all organisations to rethink how they collect and deal with the personal details of employees, clients and customers alike.
Most businesses will have at least heard of the new Regulations, and many bosses should have begun their journey to compliance.
At the recent GDPR: Summit London, Julia Porter, Board Director at DMA highlighted the “transfarency” policy of Southwest Airlines to demonstrate how bigger companies are realising that business strategies of the future have to be built around understanding the customer.
As more and more firms follow suit, executives will have to ensure that their marketing drives conform to the culture of consent that is core to the GDPR.
A foundation of trust
As detailed by the Information Commissioner’s Office, consent needs to be considered as a new form of ROI; it’s that important. Under the GDPR, consent must be separate from other Ts&Cs, in the form of an explicit opt-in choice following a clear and easy to read explanation of what data is required, for what purposes and how long it will be stored for. Pre-ticked boxes will no longer be considered valid for grounds of consent.
Consent must be:
- Freely given: the data subject must be able to refuse or withdraw their consent to their data being used without detriment.
- Specific: if data is being collected, it’s use must be specified clearly.
- Informed: the data subject must be told about the impact that use of their data can have.
- Finally, consent is definitive. Once the data subject does not respond to requests for access, the data processing ends.
Re-consenting under the GDPR
But what of the data the organisations already hold? Recital 171 of the GDPR says:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
This means that if data currently held was obtained in a way that conforms to the GDPR standards, then consent does not have to be re-sought and the integrity of the data’s consent is good, post-May 25th.
This will likely be the case for most marketers’ data that’s already held. If consent for information held has not been obtained in a GDPR-compliant way, then it will have to be deleted or new consent will have to be established, at the risk of financial penalties.
Consent for stronger business
As businesses continue to prepare for the GDPR, bosses should make efforts to implement privacy by design, ensuring that all data-handling procedures safeguard higher standards of consent.
Ultimately, it’s about giving individuals more power and choice over what information they share and how it is shared.
You can catch up with cutting edge of the consent conversation at GDPR Conference Europe, a one-day event packed with insight from key UK authorities on the forthcoming legislative changes.
At GDPR Conference Europe: Roadmap for Sales and Marketing it features 10 keynote presentations and live panel discussions will provide case studies, specialist guidance, actionable steps to compliance and much more.
To see our conference agenda or to book tickets, click here.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus