GDPR – so much to do… and real practical guidance is needed! Now!

“Work” is changing significantly at this moment – the concept of chargeable work that ultimately pays the bills seems to have gone out of the window! Administration seems to be the name of the game now.

GDPR – General Data Protection Regulation – means a complete review of all products, software, methodologies, procedures, the need for staff (and partner!) education. Documents need to be updated or created. Whilst the ICO website provides guidance, interpreting this and converting it into practical documents and procedures is proving hugely time consuming. Having written a document or procedure, getting others to agree with the interpretation or methods of implementation etc. leads to hours of discussion, redrafting and further discussions on the revised versions – a vicious circle. And made even more difficult by those not having looked at any of the guidelines!

Even the apparently simplest of things often leads to more questions than answers. I have three full pages of issues noted already where answers are really required as to how to proceed.

Consider obtaining an email address of a new client. Whilst general correspondence may be by way of email, you also want to send him regular newsletters and other “marketing” information.

So, does the fact that he has signed up (perhaps many years ago) as a client mean he has automatically agreed to be added to a mailing list?

What if the question – do you want to be added to the mailing list?” is asked verbally in a meeting when obtaining other new client personal data such as names, addresses etc?

What if he is sent a form to complete himself - either paper based or online - and this question is posed and he ticks the “Yes” or “No” box himself?

None of these appear to meet the GDPR guidelines regarding consent – informing him of how the data will be used, his rights to withdraw consent etc….The online or paper forms he completes himself could require a whole page of text setting out data usage, rights etc. He will need a whole page in any event to disclose all the privacy information in connection with the other data being collected, so could one of these uses be to add to the email newsletter circulation list? Is this considered too “hidden”?

Should a completely separate and specific “Email Consent” form be supplied - both to existing clients and to new clients in the future – that way there is no argument and there is proof of specific consent?

If we have the email address we are going to use for correspondence is it permissible to send a specific email asking them to click a Yes/ No button to subscribe to marketing emails – but this email or linked page would also have to have all the GDPR requirements built in to it though…..?

Your thoughts?  How are you dealing with this apparently simple aspect?

What has been the biggest challenge to date? And the biggest time waster?

What questions do you need answered? And where are you going to get these answers from....?