Any website that collects personal data of EU users must be in compliance with the (General Data Protection Regulation) GDPR’s.
May 25, the law comes into effect. It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018.
- GDPR extends some of the liabilities and responsibilities of data controller on data processors
- Controller has to ensure the processor is capable to handle GDPR
- Tracking online must be in compliance with GDPR
What is the BIG Deal?
- Compliance requirements of controllers and personal data processors is a safeguard for individuals. GDPR compels companies to obtain explicit permission from users to use their information. It also applies to companies located outside of the EU and have customers in Europe.
- Your leadership team needs to understand the impact this new regulation will likely have on your organization. ( The time and resources needed to adapt to this regulation should not be underestimated.
- Make sure there is a clear distinction between mandatory conditions of your service vs consent. Mandatory conditions must be included in your terms and conditions and must not be dependant on a consent.
- Transferring data to a third country, data subjects must be made aware of the transfer of their data
- Your organization can face steep fees and sanctions from the data protection authority in case of breach of the law. – subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Regardless of the organization’s location, any organization that collects or processes personal data of individuals who are in the European Union is subject to this regulation.
What are some categories of personal data?
- Clients data, Employee data, candidate data, on-boarding data, and talent data
- Personal details
- Bank account data and credit or debit card data
- HR data
- Qualification and education details
- Salary and Social Security data
- System access
- Authorization data
Every affected company needs to determine whether and how to comply with the GDPR regulations.
How To Prepare and How to Handle Consent?
- REVIEW / UPDATE CONSENT PRACTICES AND DATA PRIVACY NOTICES ( AND INFORM YOUR CUSTOMERS) – If you are currently asking individuals for consent / opt-in to collect and process their personal data, you may need to create or update your process due to of the GDPR and you may need to update your data privacy notices.
- Determine where and for what purpose your organization collects personal data from individuals. Do you share this information? If so, with whom? Do your current processes meet the requirements of the GDPR? If not, start planning how you will update them. Document what personal data you collect, along with the lawful basis for collecting and processing it.
- YOU MAY NEED TO APPOINT A DATA PROTECTION (DPM) – Under the GDPR, it will become mandatory for certain controllers and processors to designate a data protection officer (DPO). This will be the case for all public authorities and bodies that process personal data. It will also be the case for organizations that, as a core activity, monitor individuals systematically and on a large scale or that process special
What to Ensure?
What to Avoid?
How To Handle Consent For Direct Marketing? (recital 47)
- Direct Marketing is subject to e-privacy
- Direct Marketing is subject to GDPR
If you are processing personal data to generate electronic communications, the most stringent rules apply and you must have an opt-in / opt-out.
If the individual refuses to the marketing ( opts-out) then the data controller can not send any further marketing. ( this applies to all forms of communication)
Under the e-privacy, you cannot send an electronic communication to a mailing list that you have not obtained prior opt-in from the individual.
However, if you are a data controller you can send e-communication with a “soft” opt-in that includes the option to opt-out for the individual only when you are selling a product/service and you are collecting email addresses or other contact details from an individual the data or the individual has inquired about the information.
The opt-out option must be included in each and every communication. This is only for the same product or service.
Separate consents for direct marketing. Do not mix consents for various aspects of your services.
How To Handle Consent For Recruitment Agencies?
- Depending on the type of consent ( offering to contact potential candidates for future jobs, or for one job)
- Provide control as to what the candidate wants to make visible on the website/profile and to a potential employer
Individuals that are not adequately informed will create issues with the data controller.
How To Handle Consent Obtained before GDPR?
- Make sure that individuals in your database are aware of the new privacy terms
- You must make sure that your current mailing list was obtained lawfully, even if the list was obtained prior to GDPR.
- Avoid using a mailing list if you can not prove that the list was obtained with the consent of the individual.
- Cookies must be an active consent and as an opt-in
- Third party data – proper due diligence of the third party must be carried out. You must ensure valid consents are obtained under GDPR.
- Your organization must be able to provide documented evidence for opt-in
• Take into account the introduction of the European Union General Data Protection Regulation on 25 May 2018;
• Clarify the manner in which your personal data is collected, used and stored;
• Explain the manner in which you may have access to your personal data; and
• Explain how cookies operate when you interact with us online.
We also provided localized versions:
Français: Click here
Deutsche: Click here
Italiano: Click here
Português: Click here
Español: Click here
If you would like a conversation where you can ask related questions and learn how we can help you, you can book a call with us here: http://www.wethrivemarketing.com/free-consulting/
For GDPR compliance and readiness assessment, book a consultation here: http://www.wethrivemarketing.com/free-consulting/
Also, find out about: New EU Recommendation On Illegal Content Online Undermines Online Rights And Harms Europe’s Tech Economy