The impact of GDPR in the various sectors of a company

The impact of GDPR in the various sectors of a company

GDPR came into force in May last year and brought many changes to the companies. Almost a year after its arrival, there are still many doubts about the impact that this regulation will have on the various sectors of a company. For this reason, we have prepared an article that talks about the main changes that happen in each sector of the company due to the GDPR!

Marketing

Marketing is one of the areas that most deals with personal data, so it will be one of the most affected by the arrival of the GDPR. One of the main changes relates to business cards. Before the GDPR this question was very easy to solve: business cards were collected and then placed in an Excel file, possibly, and then these contacts became part of their database for sending newsletters and information from the genre. However, due to the need for explicit consent to data processing, this method is not possible. So, if you want to use the emails to send campaigns, you must collect explicit consent from the owners of the personal data. This point may seem unfavorable to Marketing, but the truth is that it will contribute to having a much more qualified and appropriate database for your business. Another change relates to sending campaigns. If you send messages with promotions to your customers, you are required to submit a link to remove the database. GDPR doesn’t allow messages to be sent without the right to opposition being fulfilled. And it is not enough to put a message to say that if the person does not want to receive more communications by this way can send an SMS to say it: it is mandatory that there is a link of automatic removal, in order to facilitate as much as possible the right to opposition.

Human Resources

If the tacit consent of the candidates was sufficient to enable the company to process their personal data, now the companies need to obtain the explicit consent of the candidates for the processing of their data. Applicants who are not recruited should also give their consent for the processing of their personal data in future recruitment processes. The human resources management area should also create a procedure for obtaining consent from candidates submitting spontaneous applications where they accept the treatment and retention of their curricula. Here you should also indicate the purpose of the data processing and the term in which the curriculum will be kept in the company database. Another change will be active recruitment, which can only be done with individuals who make their contacts available on platforms dedicated to the world of work, such as Linkedin. In this case, there is the willingness of the candidate to be contacted by companies. However, after the first contact, there must be an explicit consent from the applicant to the continuation of the processing of his/her personal data.

IT

A data protection law should not be required for companies to look at security as a priority, but the truth is that many companies did not look seriously at data protection. After the arrival of the new legislation, and much because of the large fines for non-compliance with the law, companies began to view security as a strategic factor for the company’s performance. The IT manager now has an increased responsibility (if there is no DPO in the company) that is to ensure the total security of all information systems, so that no data is lost. Processes must be created or adapted so that data is protected. The methodology to be used should be privacy by design, to facilitate the monitoring of communication of events related to personal data. The company must ensure that highly sensitive data is encrypted or masked so that there is no risk of loss and the company falls victim to the heavy fines set out in the new regulation. Datapeeers offers a variety of sophisticated scrambling techniques to protect sensitive data, replacing them irreversibly with fictitious but realistic data.

The company must create an internal communication program, so that it involves all areas in this change. GDPR compliance officer should inform and sensitize employees about data privacy and the risks that non-compliance poses to the company.