it's not just noteworthy because it's a worthwhile piece of research to see how companies are gearing up for a major change in a law that directly impacts email marketing. It stands out because it underscores, to me anyway, that companies are being asked to report on their progress in getting ready for GDPR before the Information Commissioners Office (ICO) has provided full and clear guidance. There is a useful page on its site summing up progress so far, but it is the first to admit that its work has yet to be finalised.
Maybe this is understandable, as the regulation was only finally approved and translated this May, but I think a part of anyone in marketing would be surprised to hear that full and clear guidance isn't yet available on a regulation that took several years to pass through the EU parliament. Anyone looking into the ICO's document on what guidance companies can expect at which time could also be forgiven for being a bit confused. A list of guidance topics are going to be dealt with, the document promised, over "the next six months," without putting a date on the document. Presumably, it means six months on from the regulation being passed in May? So by the end of the year? It is not clear.
I guess companies will have hope that is the message, that clear and full details on how the ICO views the regulation will arrive around 18 months before the law comes into being. Crucially, there will need to be some details on how the ICO interprets some of the regulation's new clauses. The right for a customer to expect data held about them to be deleted will need to be properly framed -- otherwise, as is pointed out today in a column in Campaign magazine, the public could start asking to be "forgotten" by businesses they have a poor credit rating with. Crucially, the ICO will also need to give some guidance on fines and how it will react if transgressors are brought before it. The fear in the marketing industry is that the organisation that has been well respected for putting education and warnings ahead of large fines will soon have little room for flexibility and will have to strictly enforce the full letter of the law.
So, as companies are asked how they are preparing for the May 2018 introduction of the GDPR, it might be fair to ask the same question of the organisation that is charged with giving them a steer on how the new law will be interpreted and implemented in the UK. Until that is forthcoming and marketers have a template to build their efforts to be prepared, it strikes me as potentially a premature question to ask businesses. Maybe it's one the ICO should have been asked first?