Even with such a short period of time before the most significant change in data protection since the introduction of the Data Protection Act (1998) comes into force, many companies are only just beginning to realise they will be affected by the changes and need to act quickly.
Having hosted numerous GDPR training sessions over the last six months, we have heard, first hand, just how confused the general business community are. They are struggling to come to terms with the implications of the new regulations on their individual businesses and sectors. With call times to regulatory body, Information Commissioner’s Office (ICO) helpline reportedly reaching into hours, it would be safe to say that confidence in compliance is low.
A common ask from businesses is for confirmation they are GDPR ready, though this indicates a “finishing line” and one doesn’t really exist when it comes to data protection. Most businesses we speak to are frantically implementing a re-consenting programme to safe-guard existing databases; however the problem exists in what we are asking consumers to consent to. As technology continues to progress at an ever-increasing rate, we do not know the opportunities (as marketers) available in even the most immediate future. As re-consent is required every time a new “use” for data is proposed the industry could witness slower uptake in future Martech opportunities.
Data portability and guaranteed consent will continue to prove troublesome as we navigate the early days of GDPR. As an integrated agency we drive the way our clients not only use but collect personal data thus blurring the lines between processor and controller and bringing with it a host of liability issues.
It’s not all bad news however. Businesses who have taken steps to map where they currently collect and store data have an opportunity to streamline processes and conduct a strategic review of their current marketing and communications operations.
With most lawyers we speak to hesitant to offer assurances on what steps businesses should take, we suspect that the new regulations will be tested (and clarified) in the courts, with a few high-profile cases which will offer some clarity for the rest of the business community.
Whilst the ICO and their fines of up to €20 million, or 4 per cent of annual global turnover (whichever is higher) is scary enough, most businesses fear the burden of on-going data management and their responsibilities to respond to public requests, with some businesses opting to delete data and look for more straightforward communication channels.
For the public I predict that, apart from receiving a multitude of re-consenting e-mails, little effect of the regulations will ever be felt or understood. I also believe that it is the man-on-the-street that businesses should fear, rather than the ICO, as the core purpose is to put control over personal data back into the hands of the individual. With such a lack of understanding, businesses are going to spend a lot of time responding to information requests which will prove burdensome for even the biggest of businesses.