It’s been three months since the General Data Protection Regulation (GDPR) went into effect, and some businesses are still working to get their compliance plans in place. While there’s a lot of GDPR-fatigue (Forbes’ breaks down several unexpected consequences of GDPR, like roadblocks for blockchain data storage, poor customer service, photography under GDPR compliance, and more), businesses still have to make the new adjustments associates with the regulation.
This past May, the General Data Protection Regulation (GDPR) went into effect. This regulation requires businesses to obtain affirmative consent from a data subject to use their personal data. It also requires a business to provide a user the ability to revoke consent, and this action must be tracked and logged and easily presented.
By now, marketers should know that the General Data Protection Regulation (GDPR) went into effect on May 25, 2018. A common belief is that double opt-in methods for email marketing solves the regulation’s requirement for gaining consent to collect and/or process a person's (or, data subject’s) data—but it doesn’t. Why? Let’s break it down.
The General Data Protection Regulation (GDPR) has been enforceable for several weeks now. Leading up to its May 25 deadline, many marketers were (and still are) evaluating their consent capture and tracking methods, ensuring it was up to par with this new regulation. Where many fall short of compliance is by relying on double opt-in methods. Let us first state this: The information a double opt-in collects on its own is not enough to prove consent. When a user opts-in to your company’s newsletter by filling out a form, the link to complete the sign-up in the confirmation email does not provide the information needed to prove consent under the GDPR.
Not quite ready for the General Data Protection Regulation? You're certainly not alone! Thorough preparation for all aspects of the GDPR is the only way to truly ensure readiness. In the meantime, we’ve put together this GDPR Consent Management Survival Guide Infographic to help you get through May 25 and beyond.
The GDPR provides a “legitimate interest” exception to the use personal data. This exception allows companies to use personal data without obtaining consent from the data subject. Although this exception has gained traction lately, the idea of an organizations’ legitimate interest is processing personal data is not a new one. The exception first appeared in Article 7 of the Directive 95/46/EC, which the GDPR replaced. The exception is cited in Article 6 (f) which states:
The GDPR and the fact that it gives data subjects the right to be forgotten has become a hurdle for marketers. To make things a little more interesting, it is not an absolute right and there are circumstances where a request to be forgotten can be denied—it’s called legitimate interest.
As the GDPR transforms from a distant vision to a fast approaching reality it is easy to get swamped in preparation and neglect some of the details of the GDPR. There is so much that the GDPR is that we find it necessary to point out what it is not.
We’re one month away from the GDPR (technically 5 weeks and 1 day), and businesses are are wrangling their teams together to get processes and compliance in place. In our latest webinar hosted by Kyle Robbins, JD, Legal Solutions & Privacy at PactSafe, we discuss what we know about May 25’s GDPR, as well as:
In addition to requiring businesses to clearly state to data subjects how their personal data will be used, article 7 of The General Data Protection Regulation will require them to gain consent to process their data, and provide an easy way for data subjects update their preferences or revoke consent entirely. Illegally processing personal data can come with heavy fines - upwards of €20 million or 4% of your company's annual global turnover.