Let's be more clear -- anyone reckon that all the big guys will get it right, and if they don't they'll get a steer to a minor adjustment? That's certainly where I stand, although from a small and medium-sized business point of view I think it will be one of the biggest acts of accidental mass disobedience the UK has ever seen. Small companies just haven't heard of the GDPR, and may panic last minute, if they do, -- or more likely, carry on and unwittingly breach it.
But come May 28th, the first business day after the law comes into effect, I really don't see huge fines flying around and major headlines hitting the front pages about companies being hung out to dry by the ICO. Here's why.
The latest World Federation of Advertisers (WFA) research into attitudes among executives responsible for brands found that 98% believe their marketing guys are taking care of it. That's way up on the three in four who were so confident last summer.
Now, there are some acknowledged gaps. The really big one is the issue that will hit a lot of companies, dealing with enquiries by customers who want to know what data is held on them and have it amended or erased. The WFA shows this is a priority for more than two in three (69%), but only 12% have actually implemented a solution.
Again, two in three are already working on contracting and reviewing and updating how they process data -- but trust me, it will be people writing, calling and emailing to find out what a big brand knows about them that those household names will be least prepared for.
However, the ICO doesn't give a deadline for feeding back and from what I have heard, has been pretty open that repeat offenders who just keep on making enquiries could be charged if they persist in their request.
So, again, it's not the stuff of the big fines. That will happen at some stage when a misguided brand has a data breach it believes it can contain or wants to keep secret and doesn't inform the ICO. Mark these words: that's where the big fines will be -- not for sending out emails after someone has asked to be unsubscribed.
As for SMEs, all that most people will need to do is update their privacy notices to say they consider marketing a "legitimate interest" of the business and nominate a person to receive emails asking to be taken off the database. Pretty simple stuff, really.
I recently gave a talk about this and pointed out that the main difference between the Data Protection Act and the GDPR, which replaces it, is that when the ICO lists company responsibilities it moved from bulletted points to numbered items.
Pretty much everything in the GDPR is already in the DPA, as long as you don't chose consent as your legal basis for marketing.
I'm not suggesting companies take this short cut because nothing is better than fully informed consent, but for the many SMEs who find they need a sticking plaster on May 25th, an updated privacy notice will get them out of a tight spot quickly.
As for the big guys where all the attention is, virtually everyone knows about GDPR and is working on it. The one problem they have is the internal mechanics of feeding back on information request from the public but, you may be surprised to know, this is a right UK citizens already have. It's just that it's never been fully brought to our attention and virtually nobody acts on it. Some might flex their GDPR muscle on May 25th and beyond but I doubt the numbers will be great.
GDPR has fallen victim to spokespeople selling solutions on the basis they get them worked up and terrified about a new law which changes far less than many people are led to believe.
Come May 25th, I think we'll have another Year 2000, or Y2K, scenario where everyone was expecting the lights to go out but life just went on as normal, albeit with a monumental hangover.