The General Data Protection Regulation (GDPR) is a new European ruling, which governs the data protection rights for all individuals within the European Union. It serves to strengthen and unify all data protection rules and practices across the EU.
GDPR will put the power back into an individual’s hands. They will gain the rights to access, amend, and restrict the personal data organizations have about them.
In the unfortunate event that an organization suffers a data breach which could compromise the security of individual’s personal data, those individuals must be told within 72 hours of the start of the breach.
Individuals also have the “right to portability”, this is the right to move data and services to another provider with no hassle or strings attached.
The greatest change within GDPR is the way consent is granted. Consent must be knowingly and willingly given by the individual, with organizations making their intentions for data use made clear. Soft opt-ins, implied consent, and hiding data policies within confusing T’s and C’s are all against GDPR rules.
Organizations must keep a record of why, when and how they were granted permission. There must also be details of what they were told at the time. If oral permission was granted, a script of what was said will work fine, call recordings are not essential.
Individuals will have the right to retract consent at any time, and have the “right to be forgotten”, which means that if they request an organization to delete their data, it should be done so immediately. It must be deleted from all backups, and the organization should have proof of the deletion.
Every EU citizen will have the right to ask how an organization is using their personal data, where it’s used and why. They also have the right to request a digital copy of the data that is being held about the individual.
All individuals will have a legal right to opt out of marketing communications. If an individual does opt out you must withdraw them from that activity immediately.
The new regulation will apply to any organisation around the world, who deal with EU residents. While there is a possibility it can change, it currently applies to both B2B and B2C.
You can call and email organisations, as these are generic and not personal data.
It is currently unclear by the EU and ICO if you can contact potential clients through social media platforms.
You must be compliant of this regulation by 25th May 2018, otherwise you could face penalties of up to €20 million or 4% of your companies worldwide annual turnover (whichever of the figures are greater).
Overview of the GDPR from the Information Commissioner’s Office (ICO)
GDPR: 12 Steps to Take Now from the ICO
Getting Ready for the GDPR Checklist from the ICO
“What Is GDPR?” from the University of Roskilde, Denmark