The crux of the workshop looked at the different legal basis that venues can use in order to process their customers' data.
There are six in all, but we only covered three which were:
Once you identify the legal basis that you will use for the different data processing activities you carry out, you will need to document this in your Data Processing Audit. That’s Step 1 done for beginning to be GDPR compliant (see we said it is fairly straightforward).
Step 2 is updating your privacy policy. Your privacy policy needs to communicate what customer data you hold and on what legal basis you will be using that data. Furthermore, and perhaps even more importantly, you must outline how customers can withdraw from the holding and use of their data. This is your basic starting point, and you will certainly need to add more to your Privacy Policy. If you need more help, get in touch and we will be happy to lend a hand.
Step 3 (and the final step): review this process regularly. We recommend a review every 6 months or so, and be sure to record what was discussed and pop it into your GDPR file. This way, you can evidence that GDPR is an ongoing process within the organisation. There you have it. GDPR broken down into 3 easy steps; the simple version.
There are, of course, other areas such as PECR, 3rd Party Data Sharing and so on, but we these three steps you’ve made a good start.
If you want advice or just to bounce a few ideas off us, please get in touch and we will be more than happy to chat through things with you.