GDPR

GDPR

A lot of people perhaps associate GDPR (short for General Data Protection Regulation, which is the EU’s data protection law) with the annoying “I accept” buttons you have to click when visiting websites these days. There are, however, excellent reasons for the introduction of this regulation – primarily so that consumers are able to feel secure in the knowledge that their personal data is being properly protected by the companies they share it with, consciously and unconsciously. This imposes a number of demands on how your business deals with such data, and not least how it is stored. A breach of these rules can lead to stiff, eye-watering fines – but if you are aware of the regulations and process personal data correctly, this can actually give your company a competitive edge.

Generally, there are four points you should pay particular attention to:

You can only use personal data for the purpose for which it was collected – something that must be specifically explained

Consumers have the right, upon request, to have their personal data erased, or to object to its use for marketing purposes

The customer has the right to have their personal data transferred from one data supplier to another, for example in the event of the customer relationship changing

You must obtain consent prior to storing information, and this consent must be based on clear and explicit conditions.

This last point is particularly important if, for example, you want to send out a newsletter using e-mail addresses collected through your website.

What does this mean for you in purely practical terms? For example, you cannot begin to send out marketing to someone whose business card you have received, if that person has not consented to it. If you have stored personal data about someone, that person has the right to have the data erased or rectified – this also means that you have to ensure that such requests can easily reach you.

The Norwegian Data Protection Authority (Datatilsynet) has produced a useful overview of all the obligations that a business is subject to under GDPR when personal data is collected and used – as well as practical guidance on how the rules are to be applied.