The application of GDPR ongoes for three months. There was a lot of fear and confusion among companies, but the average citizen was given the opportunity to access their aggregated personal information on social networks, more clearly explained ways and purpose of processing this data when using loyalty programs and sending marketing materials to the email address
Over the past few months, the concept of GDPR has embarked on the collective consciousness of Croatian citizens, partly because of everyday articles on the subject in the media, partly because of requests for irritating consent forms sent by e-mail. Behind this concept is the Universal Data Protection Act (GDPR) that came into effect on May, 25 when its popularity on Google overcame the World Cup at the front, as well as numerous world stars such as Rihanna, Beyoncé, or Lionel Messi. Today, three months after, the number of searches has returned within the usual framework and many portals have ceased to inform citizens and organizations on the obligations the Regulation will introduce. The result of these articles has often been the deepening of confusion and fear of the Regulation and the rigorous penalties it prescribes. On the other hand, the result of the Regulation is a clearer process of processing personal data.
There are three examples in which an average citizen could get acquainted with the Regulation: the ability to access their aggregated personal data on social networks, the more clearly explained ways and purposes of processing personal data when using a loyalty program, and giving them permission to send marketing material to an email address. Related to this, companies have the challenge to identify the personal information in their possession, revise or establish their privacy policies and personal data handling, and establish the legal basis for each process of handling or using personal data in their business.
The best advantage that came with the Regulation is filtering out a large number of ‘newsletters’ that come to our inboxes every day. Prior to the Regulation, many organizations that collected our e-addresses for various purposes unilaterally decided to use them for sending marketing materials. With the Regulation, all these companies have to prove that each individual they send these materials has given them a clear and unambiguous consent, most of which did not have them. In order not to be left without the ability to send marketing materials to masses, the companies sent out panicky consent requests on the 25th of May, hoping to respond as quickly as possible and to maintain their marketing reach.
A lot of workload for the companies
The practice is created along the way
Based on these and many other challenges that companies face, a basic conclusion after several months of work on alignment projects is that this topic is complex and new to all stakeholders, mostly because it is not possible to map an example of good practice from other countries because the Regulation became binding for all organizations, from Bosnia and Herzegovina to Sweden on the same day. Namely, even companies outside the EU who handle personal data of EU citizens must embed it in the business and comply with its requirements. Nevertheless, we can all actively follow the disclosures, guidelines, and opinions of the Personal Data Protection Agency (AZOP), the European Data Protection Board (EDPB) or some foreign supervisory body, such as the British Information Commissioner’s Office (ICO). While breaking through this forest of information, experts from Apsolon are available to you as external help in the process of alignment.
What companies must do
- To identify all the personal information the company possesses, it is necessary to review all business processes to detail, focusing in particular on personal information.
- In order to avoid penalties, companies must use personal information only for the purposes for which they have individual consent. Those who used the e-mail address of individuals to submit marketing materials must analyze the ways in which their e-mail addresses were collected.