5 GDPR considerations you might have missed
When delving into GDPR, sometimes you can’t see the wood for the trees. Paul Snell presents five tips to help you chop your way through to the important issues
1. Don’t panic, there’s still time to prepare
If you’re just getting started with your GDPR preparations, don’t worry – the majority of organisations are in a similar position. The information commissioner’s message has been one of reassurance in how it will handle compliance in the immediate aftermath of implementation. But that’s no excuse to sit back and relax.
And if you’re planning a re-engagement campaign to re-permission your database, you need to work out what’ll make yours stand out, because every marketer in EU will be thinking of doing the same thing in the next four months before the deadline.
2. There’s more to GDPR than just the issue of consent
It’s understandable that the issue of consent – how to gain it, manage it and prove it, if necessary – is top of marketers’ concerns with regard to GDPR. The prospect of huge swathes of your current marketing database becoming unapproachable after the 25 May next year, is a big worry.
But it’s not the only aspect of GDPR marketers need to be concerned with. There’s the potential to become so wrapped up in the minutiae of gaining consent, that you may ignore some of the equally significant (and potentially harmful) changes GDPR is introducing, such as the implications of individual rights or data security breaches.
3. Who’s going to help you out?
B2B Marketing’s recent GDPR roundtables highlighted many senior marketers are struggling to alert management to the implications of the legislation on marketing activity. Despite the fact that, as one marketing director put it, “marketing has the potential to mess this up faster and more seriously than any other part of the business”.
Preparing for GDPR is such a mammoth undertaking that no senior marketer (or even department) will be able to tackle it alone. Identify those in the business who are tackling the same GDPR implementation journey, and buddy up with them to form a united taskforce.
4. A cautionary tale (how it went wrong for one company)
If you’re struggling to gain traction with senior management, perhaps a recent case study will help?
Last year Equifax suffered a cyber attack which resulted in the theft of more than 145 million consumer records (including names, phone numbers, email addresses and dates of birth), including more than 700,000 in the UK.
The company discovered the security breach on 29 July, and alerted the public on 7 September. Under GDPR, you have 72 hours to inform the regulator, and failure to report a breach in time could result in a fine of €10 million, or 2% of annual global turnover. Last year, Equifax’s worldwide turnover was $3.1 billion. Had this happened under GDPR, the potential fine would have been up to $63 million.
5. Always return to the spirit of the law
If you’re unsure about what’s allowed and what’s not under the legislation, consider why GDPR exists.
In a speech, the information commissioner Elizabeth Denham explained GDPR “creates an onus on companies to understand the risks they create for others, and to mitigate those risks”, and urged them to build a “culture of privacy that pervades an entire organisation”.
GDPR needs to be seen as more than a compliance exercise, or where numerous legal loopholes are something to be exploited by a canny marketer. This is about fundamentally changing your organisation’s approach to the way it deals with personal data.
This free comprehensive guide explains what the General Data Protection Regulation (GDPR) is, how this incoming data protection law will affect your organisation, and the practical steps to take to prepare for it.