What the ICO says –
“You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.”
What does this mean for your organisation –
This is the big one that is causing the most controversy and confusion and is the one thing I get asked about more than any other aspect of GDPR.
Before I begin I will quote the ICO blog “Consent is not the silver bullet”. There are several situations where consent is not required but if it is required your organisation must ensure it is obtained and handled correctly.
If you do marketing then the current most common marketing business model becomes pretty much obsolete after May 25th, 2018. That doesn’t mean you cannot market anyone after that date! What you must do is be very careful and very much in line with the 8 Data Subject Rights and 7 Principles of GDPR especially when it comes to transparency.
The biggest issue here is ensuring the data subject is kept well informed of what your organisation is wanting to do with their PII and how you get “Explicit Informed Consent” from the data subject along with allowing the data subject to “easily” remove their consent and how your organisation handles that removal of consent.
Start to go through your contact databases and see if you already have consent from individuals, if you haven’t, then move on as you shouldn’t be marketing them even under current regulations. Contact those individuals that you already have consent from to reaffirm their consent under the GDPR, ensure you can audit any consent given and ensure they can easily update their consent preferences.
The next big question that gets asked around consent is regarding PII of B2B individuals. Most people understand consent around B2C easily but struggle with B2B. GDPR is very much aimed at the protection of the rights, freedoms and PII of EU residents/citizens irrespective of whether it is B2C or B2B. So long as your organisation processes PII lawfully, in line with the GDPR principles and an individuals rights then its fine. The key point here though is defining the lawful processing of PII and documenting the lawful reason(s) for processing. That is what is required.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.