That date that everyone thought would never arrive (or maybe they hoped would never arrive) is finally here.
May 25, 2018.
Apologies to those of you with significant life events on this date. What I am talking about is the European Union’s General Data Protection Regulation (GDPR), which finally becomes enforceable on this date.
We’ve talked about this before, and I’ve explained the requirements to be GDPR compliant and the penalties for not being compliant). This time around I wanted to talk about the way GDPR is affecting all of us.
You may have noticed that as the calendar counts down to May 25, you have been receiving a flurry of emails from companies that you deal with (perhaps you’re on their mailing list, or perhaps you are an existing customer) asking that you confirm your acceptance of the way they keep and use your personal data. Most of the companies have been specifically asking for a positive acceptance (by visiting their website or replying to an email). At least one, though, stated that they would take my continued use of their service as acceptance. Now, I am not a legal expert, but that strikes me as not being in the spirit of GDPR. At the very least, the regulation states that for storage and processing of personal data, explicit permission must be attained.
Will the World Change?
It’s unlikely that the world of IT will change overnight as a result of GDPR, and let’s face it, companies have been preparing for this event for years.
Yet the world at large is much better informed about personal data than it ever was before. With recent events around social media and how your data is being used (or misused) making the news, people are rapidly becoming aware of the implications of unfettered use of personal information. Because public understanding of the issue has improved, companies will face a tougher challenge in getting informed consent. And there are issues in just those two words.
You can no longer just ask a customer to accept whatever you want to do with their data without explaining it first. As a business, you need to be clear about how you are going to process the data and you need to re-request consent if you ever change the ways in which you use that data. At the same time, you cannot expect users to read pages and pages of explanation in the hope they’ll just tick the “Yes” box and be done with it.
Informed consent also must take into account whose consent you are seeking. For example, a social media platform aimed at teenagers has a totally different demographic than a discussion group of legal professionals. It is not acceptable to use the same wording in both cases.
Another challenge is that consent, once given, can also be rescinded by your user/customer. Yes, that’s right. Customers now have the right to contact you to say they no longer accept your terms. This is a little different to “the right to be forgotten.” In this case, for example, they might still want to remain your customer, but they don’t want to be on your mailing list any more.
Are You Prepared?
All this means, of course, that all companies should have been ensuring that they hold consent from their customers to store and process their personal data and that they have procedures in place to track that consent and to process any changes in the consent that has previously been given.
Data Recovery and GDPR
Before I close, I’d like to take a moment to remind you of the upcoming webinar from BMC on the subject of GDPR and data recovery. It’s on Wednesday, May 16, 2018 at 1 pm ET/12 noon CT/7pm European Summer Time.
Achieving recovery compliance under GDPR can be easier than you think—and it can also save you money in the long run. Find out how you can protect your business and stay one step ahead of auditors—register today!
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.