i.e Data where permission was previously obtained under the old legislation does not meet the standards of GDPR
In response to the additional requirements of GDPR, REaD is enhancing its safeguards to ensure all personal data is collected and made available by REaD in a compliant manner. Clients should be aware that some of the personal data REaD holds and makes available will have been collected before such additional safeguards were put in place. This does not mean, however, that such data cannot be relied on by clients in appropriate circumstances. REaD has always taken steps to ensure that data subjects were informed that their personal data would be used for direct marketing purposes, provided with information on the categories of third parties with which their personal data may be shared and used and given an opportunity to opt-out. Of course, as with any personal data received from REaD, the client must ensure it is taking appropriate steps to comply with its obligations as a data controller (as set out above).
*If a controller finds that the consent previously obtained under the old legislation does not meet the standards of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However, this is a one-off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event the controller needs to observe the principles of lawful, fair and transparent processing.