It finally happened! GDPR Day has come and gone.
And life seems… no different – apart from all the questions it appears to have thrown up.
We don’t know about you but, when we were at school, our teachers continually reassured us that there was no such thing as a stupid question. And because they often used to tell us that, we like to think that they were always just being extremely kind and supportive.
Which is why, now that the big day has passed, we thought we’d share with you some of the many questions we’ve received over the past week or so.
You might want to sit down for some of these…
Q. Phew. GDPR Day has come and gone. Can I relax now?
A. Well, it depends on how sorted you are with everything.
Q. So what happens next?
A. GDPR is an ongoing commitment – think of it as good practice. So, it’s still a good idea to review what you’ve done so far, work out if there are any gaps and what you can do to improve things.
Q. Er, I haven’t really done anything with GDPR yet. Is that okay?
A. Urm, it’s not ideal. But neither is it too late to make a start. In fact, the sooner the better. There’s more information than ever around about what you can do to get going. Like these blogs for a start.
Q. What constitutes negligence?
A. In its simplest form, a blatant disregard for protecting people’s data and respecting their privacy, and often characterised by continued non-compliance/not taking proper measures to ensure it.
Q. So, would a data breach be considered negligence?
A. Not necessarily. No – if you’ve taken all reasonable precautions to safeguard against one; although yes, if you then neglect to take the right action should one occur.
Q. Okay, so what’s the bare minimum I still need to do to keep people happy?
A. Okay, we would definitely recommend you taking a look at two of our earlier blogs here and here.
Q. Do I need to register with the ICO?
A. That depends – you can check on the ICO website here.
Q. How will GDPR compliance be monitored/regulated/enforced?
A. Two angles: organisations need to be aware of their compliance and any breaches that may occur. The other angle is that customers and other stakeholders will hold you to account when processing their data; and if they feel that it’s being mishandled they’re likely to complain either to you or to the ICO. Ultimately, it’s the ICO who’s responsible for enforcing the GDPR in the UK.
Q. Can I be randomly audited?
A. No. There are two types of audits that the ICO can conduct: consensual (where you ask to be audited) or compulsory (for which the ICO will issue an assessment notice). We know which one we’d prefer…
Q. What if I want to volunteer myself for a consensual audit?
A. That’s very commendable. And could actually boost your credibility as a business that’s transparent and takes GDPR seriously.
Q. Do I need to contact all my existing customers for their consent to receive electronic marketing from me?
A. Not if you have their original consent documented and it still fits your legal basis for contacting them.
Q. I’ve not received consent yet. Can I still send stuff that I know they’ll find really interesting?
A. Next question.
Q. Will I still keep receiving pointless emails asking me if I still want to keep receiving pointless emails?
A. Quite possibly. Although probably not if the company has good GDPR support behind the scenes…
Q. As GDPR is EU-wide, how might Brexit affect it?
A. Hmm. Good question. The UK Government passed the 2018 Data Protection Act just before the GDPR came into force. So, the big debate in Europe at the moment is whether the UK data protection regime will still be deemed adequate. Best watch this space…
Q. Now that GDPR is the word, how can I stay updated?
A. Well, there’s always the official ICO website which contains regular updates… and an extremely helpful and friendly company called Databasix that really knows its stuff.
Q. Really? And do they offer monthly support packages?
A. Great question! All we’ll say right now is tune in to our next blog 😉
And, finally, the one other question that everyone really wants to know; after a couple of years’ build-up to GDPR Day and a relentless, sustained effort to help all types of business be ready for it, it centres on what we did when Friday 25th May finally arrived…
Suffice to say that one of us was in Scotland, whilst the other was ‘working’ on the beach.
It’s okay, we know what you’re thinking – is it really possible to get any work done on a beach?
Now, that is a stupid question.
Until next time…