Anyone else thinking that the GDPR deadline is going to be a damp squib -- effectively the Year 2000 "Millennial Bug" all over again, only this time for digital marketing and privacy?
Let's be
more clear -- anyone reckon that all the big guys will get it right, and if they don't they'll get a steer to a minor adjustment? That's certainly where I stand, although from a small and medium-sized
business point of view I think it will be one of the biggest acts of accidental mass disobedience the UK has ever seen. Small companies just haven't heard of the GDPR, and may panic last minute, if
they do, -- or more likely, carry on and unwittingly breach it.
But come May 28th, the first business day after the law comes into effect, I really don't see huge fines flying around and major
headlines hitting the front pages about companies being hung out to dry by the ICO. Here's why.
The latest World Federation of Advertisers (WFA) research into attitudes among executives
responsible for brands found that 98% believe their marketing guys are taking care of it. That's way up on the three in four who were so confident last summer.
advertisement
advertisement
Now, there are some
acknowledged gaps. The really big one is the issue that will hit a lot of companies, dealing with enquiries by customers who want to know what data is held on them and have it amended or erased. The
WFA shows this is a priority for more than two in three (69%), but only 12% have actually implemented a solution.
Again, two in three are already working on contracting and reviewing and
updating how they process data -- but trust me, it will be people writing, calling and emailing to find out what a big brand knows about them that those household names will be least prepared
for.
However, the ICO doesn't give a deadline for feeding back and from what I have heard, has been pretty open that repeat offenders who just keep on making enquiries could be charged
if they persist in their request.
So, again, it's not the stuff of the big fines. That will happen at some stage when a misguided brand has a data breach it believes it can contain or wants to
keep secret and doesn't inform the ICO. Mark these words: that's where the big fines will be -- not for sending out emails after someone has asked to be unsubscribed.
As for SMEs, all that
most people will need to do is update their privacy notices to say they consider marketing a "legitimate interest" of the business and nominate a person to receive emails asking to be taken off the
database. Pretty simple stuff, really.
I recently gave a talk about this and pointed out that the main difference between the Data Protection Act and the GDPR, which replaces it, is that when
the ICO lists company responsibilities it moved from bulletted points to numbered items.
Pretty much everything in the GDPR is already in the DPA, as long as you don't chose consent as your
legal basis for marketing.
I'm not suggesting companies take this short cut because nothing is better than fully informed consent, but for the many SMEs who find they need a sticking
plaster on May 25th, an updated privacy notice will get them out of a tight spot quickly.
As for the big guys where all the attention is, virtually everyone knows about GDPR and is working on
it. The one problem they have is the internal mechanics of feeding back on information request from the public but, you may be surprised to know, this is a right UK citizens already have. It's just
that it's never been fully brought to our attention and virtually nobody acts on it. Some might flex their GDPR muscle on May 25th and beyond but I doubt the numbers will be great.
GDPR
has fallen victim to spokespeople selling solutions on the basis they get them worked up and terrified about a new law which changes far less than many people are led to believe.
Come May
25th, I think we'll have another Year 2000, or Y2K, scenario where everyone was expecting the lights to go out but life just went on as normal, albeit with a monumental hangover.