GDPR requires companies to inform their data subjects of the legal basis under
which their data is to be processed. This needs to be communicated in a privacy
statement and the individuals consent [if appropriate] recorded. This needs to
happen by 25th May 2018 – not starting the process after GDPR – actually having
completed the process by then.
It is possible that any company marketing to non-compliant data after 25th May
would face enforcement action. Has this really been thought through?
I guess that the ICO would claim that GDPR has been around for two years and
that organisations had plenty of time to complete this migration, however, In
reality many companies are unaware of GDPR and really haven’t engaged at the
level they should. So how are they going to complete this desperately important
activity.
I have started to see evidence of GDPR migration – you can spot the new GDPR
compliant sign-up processes a mile off the clue is usually the existence of a
privacy statement and separate check box to confirm acceptance of the privacy
statement content. However, a few companies are still getting this wrong. ICO
are not known for lenience, with huge fines for human error or simple
processing mistakes so a well-meaning attempt at GDPR compliance is unlikely
to save a company from enforcement.
The key is that organisations need to start this activity now! They need to look at
their data and decide how best to migrate to GDPR compliant data. Take a look
at Optindigo for ideas but whatever you do – start now!
Good luck all.