The EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018. Regardless of Brexit, the new legislation will still apply to all UK organisations that process the personal data of EU citizens. That effectively means that there will be few businesses that will never have to align themselves with the new regulations and many companies will need to get their house in order quickly to meet the rapidly approaching deadline.
There are concerning signs that many UK businesses are still struggling to understand the implications of falling short of the new regulation’s stipulations. In a recent report by Sophos, based on a poll of 625 IT decision makers in four countries, more than half of UK businesses admitted that they know either nothing, or very little, of the financial consequences of not complying with GDPR. Organisations found to be in breach may face fines of up to up to €20 million or 4% of their annual turnover. There remains a clear need for a process of education to be put in place to bring businesses up to speed with the implications of the pending legislation.
Marketers have more reason than most to sit up and pay attention. They have reaped the rewards that big data has brought in terms of painting a clear picture of their market position; tracking the behaviour and preference of customers and prospects and customising products and creating offers tailored to their needs. The advent of GDPR, however, is focusing the minds of marketers on the responsibilities that come with the right to access data. Big data has given marketers the power to reach out more intelligently to target groups but that power also needs to be tempered by recognition of the need to treat they have at their disposal with the greatest respect.
With their minds concentrated by the likely fines on offer, we are starting to see signs that marketers are getting the message here. They are increasingly conscious of what they need to do to comply – the process they need to follow is becoming increasingly clear.
Keeping data secure is a key part of the picture, of course. Marketers clearly need to implement the right systems to store the data they hold securely.
GDPR is, however, about far more than just security in isolation. It is just as much to do with the overall business approach and the value that each part of the business places on the concept of data protection.
Marketers need to be aware, for example, the principle of Privacy by Design and by Default requires business processes to be developed with data protection front of mind. They need to prove that targeted prospects and customers have opted in to having their data collected and used and they must respect the ‘right to be forgotten’.
What’s required above all else is a combination of the right technology and the will to use this technology and pursue the right policies and procedures to help ensure compliance.