Peak-GDPR is here: The latest Legal, Marketing and IT developments on the change
The clock is ticking for UK businesses to become GDPR-compliant, with the legislation coming into force in May 2018. The consequences of failing to adhere to the new rules are considerable: businesses of all sizes face fines of €20m or 4% of their global turnover.
In May three of our expert partners gave their view on how businesses should prepare for the legislation from a legal, IT and marketing perspective. Their advice was clear: put a GDPR lead in place, get your opt-ins, data processes and inbound marketing strategy in order by the end of 2017, and don’t rely on anyone to solve the problem for you.
Six months on, we’ve caught up with Trupti, Andy, and Pete again to see what’s changed with GDPR. Here’s what they had to say.
If you need a refresh on the basics of GDPR, have a read of our overview here before reading on.
The IT view: IT expert Andy Hart, Freeman Clarke Regional Director.
The marketing view: Pete Jakob, Marketing Director with The Marketing Centre.
The legal view: Founder of My Inhouse Lawyer, Trupti Harding-Shah.
Hi all, last time we spoke about GDPR there was a general sense that business owners aren’t prepared for the changes. Are they now?
Trupti, Law: We did a presentation on GDPR about two weeks ago to a group of 30 SMEs, and at the start we asked the question, “How many of you feel you will be ready to be compliant with GDPR in time for May 2018?”. About 70% said that they weren’t remotely ready, but what’s really interesting is that at the end of the presentation we then asked the same question again and 93% came back and said that they weren’t ready.
So, even the businesses who thought they were ready realised by the end of the conversation that they’d underestimated what was required of their businesses.
Andy, IT: Our experience mirrors that. We did a presentation to a room of about 80 people two weeks ago and asked, “Who thinks they’re compliant?”. Nobody put their hand up.
Pete, Marketing: I think there’s an increasing awareness of, ‘we need to do something.’ But what the ‘somethings’ actually are – that’s becoming very problematic right now. There really aren’t definitive answers on some fairly fundamental questions.
So from a legal, marketing and IT perspective, what have been the latest developments in the GDPR discussion?
Andy, IT: I think ‘peak confusion’ sums it up. People are seeing lots of very different advice and they’re confused about who is telling them the truth.
Trupti, Law: It can seem like peak confusion and some of this is down to the fact that not everything is completely pinned down yet. We find that each time the ICO or the Article 29 Working Party issues new guidance, there’s another burst of opinion and speculation – but it is possible to chart a course towards compliance.
Pete, Marketing: From a marketing perspective we’re actually finding many businesses are not compliant with the current legislation. I’ve seen all sorts of examples of marketing systems where it wouldn’t satisfy any law, let alone laws that haven’t come into enforcement yet.
Andy, what have been the most effective tactics and processes you’ve seen businesses implement?
Andy, IT: We’ve seen a number of businesses starting to look at their data and their processes, and there are some really interesting things that have come out of that. We’re helping businesses optimise, where necessary automate, and make sure they’ve got joined-up systems.
The caution is, don’t get side-tracked by the potential efficiencies you spot and ignore compliance. Get compliant, and then act on the other things you’ve found.
Any other cautions or watch-outs for businesses?
Andy, IT: I think it’s really tough when you look at some of the conflicting advice that’s out there from very reputable organisations.
Pete, Marketing: Absolutely. The number of SMEs who have become reliant upon data services from companies with some phenomenally poor practices is shocking. With some data suppliers we’ve talked to, it becomes very clear, unsurprisingly, that they’re giving you ‘advice’ that is very much rooted in their own business interests.
Trupti, Law: Self-education on the GDPR is important, otherwise it’s hard to spot whether the people you’re talking to, to help you get compliant, know what they’re talking about. You’ll want to make sure you get the right experts onboard.
Are there any common mistakes you’ve witnessed?
Andy, IT: We see people who are not clients at events and seminars, and you can explain to them at a high level what they have to do, but somebody has to be inside their business. A lot of businesses don’t have people on board of sufficient calibre to be able to get into the data.
Trupti, Law: We’re finding that some of the fundamentals are being misunderstood which can really set back compliance programs. For example, if you don’t really understand what personal data is or how broad the definition is, then you’re likely to carry forward compliance blind spots where you’ve missed whole data sets. Given the investment in time and resource, it’s smart to start a compliance program off on the right foot.
Pete mentioned last time that businesses need a ‘single point of contact’ to be responsible for GDPR. Who is taking on that job predominantly?
Trupti, Law: We’re very mindful of the fact that it’s a joint effort between Law, IT, Marketing, HR, Finance – everyone has to be involved in this process and someone must lead at board level. We tend to come in at the start to educate, diagnose, create a roadmap and tool our clients up for implementation.
Andy, IT: Yeah, I think that’s the only way to do it, and the problem is we’ve got IT directors out there who would traditionally be responsible for things like data protection act compliance. Some immediately think GDPR is all about information security. That’s part of it, but we really need to understand what data businesses have, who’s got access to it, and how it flows. This is multidisciplinary, and I don’t see many people out there accepting that.
GDPR needs legal advice. It needs IT skills. It needs marketing skills. It needs HR involvement. There’s a whole set of people in an organisation that need to be brought together to act on this issue, and somebody needs to lead it. Many organisations still haven’t found that person who’s going to take action and lead the way. They aren’t really involving the right people.
Finally, what are the biggest challenges between now and May next year for business owners?
Pete, Marketing: The runway between now and May is disappearing rapidly. Where people are falling behind is in moving to implementation. As we get to Christmas and beyond, everyone will be delivering opt-in programmes. As consumers, our tolerance for opting-in to additional programmes is going to be somewhat less patient than it might be now.
The sooner the people get out and start doing something the better.
The expert verdict is clear. Our key takeaways on GDPR remain constant, but with more urgency than ever:
- Make someone responsible for leading the multidisciplinary team managing your GDPR and data strategy.
- Decide whether you will rely on Legitimate Interest or Consent (or any other of the 6 justifications) as your lawful basis for processing personal data. Add opt-ins to all your digital marketing: do this soon to avoid the inevitable opt-in fatigue on the part of your email contacts.
- Carefully review what data you have, why you have it, and if it can be used post-GDPR.
- Build an inbound marketing strategy and get it running as soon as possible.
- Don’t wait for “them” to solve the problem for you; they won’t.
- Keep an eye on the evolving ePrivacy Regulations. At some point this will become a replacement for PECR and may drive additional obligations.
Thanks to Pete, Trupti and Andy for their time and advice. With only 4 months until GDPR comes into force, it’s clear that many businesses still have a lot to do to get ready. If you need compliance advice for your business, get in touch and we can put you in touch with the most one of our sister businesses to help. See our other GDPR Blogs here.