Now the dust has settled and we’re almost ‘back to normal’, where do we stand?
We’d all known that 25 May was coming for at least 2 years but it took a deadline to focus minds and be the catalyst for activity.
We’re all familiar with the deluge of “We’d like to stay in touch” emails from people we’d once bought something online from and long ago forgotten. Most of these arrived in the last 2 weeks before the deadline.
We started quietly upgrading websites in 2017 to be compliant with the new regime. We took guidance from all corners for best practice, not least from the ICO, to ensure the things we put in place were shining examples of good practice. Our recent software platform releases have been compliant from the start but we still had a backlog of established sites to upgrade.
GDPR brought new responsibilities for website owners (clients) and website builders (us!) and rightly put a lot more power in the hands of end users. This caused us a lot of short term pain but we knew it was the right thing to do. As an aside, it was interesting to see the range of attitudes amongst clients to the new regime. These ranged from embracing wholeheartedly and seeing an opportunity to cleanse their database and position themselves afresh as ethical recruiters, through painful but necessary, right through to refusal to engage and burying their heads to the implications.
What should you look for in a supplier?
Someone who will work with you in partnership. Someone who is open and honest about their software and how it holds sensitive data. Someone who is committed to ‘doing the right thing’, even if it’s not always the most convenient thing.
Be vigilant. Be honest, if you have a data breach report it through the proper channels. Although there are potential fines for infringements these are unlikely to be used against smaller companies showing they are trying to follow the rules. The ICO has said that they will follow a ‘carrot before stick’ approach encouraging good behaviour before punishing bad. The legislation is new and there is little case law – this will only emerge over time. But examples are only likely to be made of large organisations being demonstrably careless with personal data.
Take GDPR as a realignment of your responsibilities to candidates. Personal data rightly belongs to the individual and they have a clear right to control that data. We’ve had the Data Protection Act for 20 years now and we should all have got used to thinking ‘privacy’. The new regime merely extends the previous legislation and puts more power in the hands of individuals.