GDPR transparency requirements

Hi. My business is a start up legal search and corporate coaching business. My website is not yet ready and due to 'go live'  in circa 2 weeks.  I have provisionally drafted a privacy policy and am in the process of implementing the 12 steps recommended by the ICO to make me  GDPR compliant however would like to know if I should be emailing the privacy policy to my existing clients before the website is up and running?

The clients I have  been working with over the past 6/7 months since starting out are known to me and impliedly consented to work with me by emailing their CV's, attending interviews etc through me. I have not business developed new clients and was waiting for the website to be completed before doing this. On this basis I was not going to email clients directly to notify them of my privacy policy beofre 25th May. Rather I was going to cite 'legitimate interest' as my legal basis for rationalising those relationships. I have ran an audit and applied the 3 stages test to establish this. 

Most of the candidates I work with are also known to me, however I have been 'head hunting' candidates, largely via linked in. That said, I did not intend emailing them either based on the same principles as above 

My questions are as follows: 

1. Should I be notifying my existing clients and candidates of my privacy policy prior to 25th May? In the absence of a website and incorporating the policy into the website, I could do this by email, via mailchimp.

2. Post 25th May when my website is up and running and I start to business develop and deal with new candidates and clients, must I blatently make them aware of my privacy policy or is it sufficient to point them in the direction of the website where they can access the policy? For future newsletters I a will have an option for them to double opt in and provide their consent however - which is more blatent.  

I would welcome your guidance, thanks. 

No answers yet