Were you ready on the day GDPR came into force? No? Don’t panic!
We all know that consent is an important feature of the GDPR. How could we not? People have been banging on about it for long enough!
However, obtaining consent in all circumstances may not have been necessary after all and therefore wasn’t immediately required by the 25th May. And, undoubtedly, the process of becoming fully GDPR compliant will continue into the coming weeks and possibly months.
The process wasn’t helped – or at least, it was potentially slowed down – by all of us having to respond to the seeming myriad e-mails coming into our inboxes asking for consent – sometimes when the asked for consent wasn’t necessary! This still continues.
The result? A blend of respect for the way data is obtained and handled on the behalf of us all with an increase to workload that has felt, and continues to feel tedious.
So, what next?
Your business may be fully compliant – or at least, you believe so. You may be one of many who simply wasn’t ready on the 25th May. Or, you may still be scratching your head wondering what on earth GDPR is, and what all the fuss about.
If the fateful date arrived and you found yourself to be ‘Business Owner, the Unready’ then don’t panic. Here are some things you can do:
1. If you haven't already, register with the ICO
Ideally, a good start (if you haven't already) is for your business to register with the Information Commissioner’s Office (ICO). All organisations, regardless of size are required to notify the ICO should they process personal data.
2. Privacy Notice - Get it out there!
Arrange for a Privacy Notice, making sure it is GDPR compliant (see https://ico.org.uk/) and get it out there. A message on your website and, perhaps in the footer of your emails are a good start.
3. Check whether your organisation needs fresh marketing consent
Despite all the hype, hysteria and the warnings about how we’re all going to be fined enormous amounts of money, it is quite possible that your organisation doesn’t need to ask for fresh ‘opt-in’ consent after all. There’s a lot going around of what people think they know about GDPR that isn’t accurate. Our advice: check with those who truly know. Your ongoing contact with clients to your business, for example, might be perfectly acceptable on other grounds that are still within the parameters of the GDPR legislation, such as legitimate interest (See ICO).
4. Supplier contracts - are they GDPR Compliant?
You are likely to start receiving contracts from suppliers in their updated form. More work, I’m afraid! You will need to check that fresh and updated contracts are compliant with the GDPR. We advise you to check contracts carefully to ensure they cover only what’s required and nothing additional. If you haven’t received updated contracts – and, as if you haven’t already better things to do! – you might like to find out why, as all contracts will need to be updated.
5. OK - so you've left it late. It's time to plan ...
We’re all a part of that wonderful condition we call ‘human’. Some are super organised. These enviable individuals love to have everything ready ahead of time. Others, well, these folks are a bit different in how they see their priorities. It’s not that they’re trying to be difficult or to side-step the law, it’s just that other things have taken precedence. Then there are those who really are confused. They’re scratching their heads wondering what it’s all about and how their little business can possibly be affected by the behemoth legislation that is the GDPR.
If you think you’re done and dusted – lovely! If you’ve more to do, or you’ve not even started with what needs to be done then it’s time to plan what you intend to do to ensure your organisation is compliant over, say the 6 and 12 months. When in doubt refer to the ICO.