I have a confession to make. Until relatively recently whenever I saw the letters GDPR, I thought that is for the data geeks to be worried about. But I kept seeing them (the letters, not the geeks) and I figured I had better just check what all the fuss was about.
I should be clear from the get go: the days of my being responsible for a database of five million contacts are past. Nowadays, all I hold are the contacts on my phone, which I acquired directly from individuals who were clear that I would get in touch with them from time to time about meeting for a drink and/or to tap them up for work.
My first attempt to find out more was asking a data-head I know, who opened with “it’s really complicated” and muttered something about privacy.
I hate being told something is complicated. I tend to think either they mean it is too complicated for someone like me (in other words, a woman) or that they haven’t got a clue themselves but don’t want to admit it.
Anyway, it spurred me on my quest to discover the truth about GDPR, or the General Data Protection Regulation to give it its full name. It will be enshrined into UK law via the Data Protection Bill announced today (7 August).
And it turns it isn’t really that complicated. Yes, it could be more transparent and more guidance would be good, but I could understand it. I had, however, underestimated the impact it will have.
It is designed to draw together all the various bits of EU data protection directives and regulation, as well as strengthen UK data protection laws, to make them fit for the future and ensure citizens have control of their own personal data – words to strike dread into the hearts of some marketers.
Change of approach to data use
It will completely transform the way marketers use data. Say goodbye to buying in mailing lists. In fact you may well have to bid arrivederci to any existing lists you have bought in. You will certainly have to ensure that you have proper permissions to get in touch with each and every single person on the list for everything you contact them about.
And if you breach the new regulations, you risk serious fines – 4% of annual global turnover or £17m, whichever is higher. This would be enough to sink a lot of businesses. Forget brand safety on YouTube; if I were still in charge of my five million-strong database, this is what would be keeping me awake at night.
But a worryingly large number of organisations seem to be well behind the curve. A YouGov survey of 2,000 businesses published in May, just a year before the regulation comes into effect, revealed that only 30% had started to put the GPDR houses in order.
Can it be the case that the other 70% are in the same state of blissful ignorance as I was a few weeks ago? Is it that they think because this is an EU thing, it won’t apply to them? Er, that would be a no. Its importance has become even clearer with the new UK bill.
Hard or soft Brexit, the new data protection laws will apply to your business. There is no avoiding it but the smart ones among us will grasp it and use it as an opportunity to engage with their customer base.
Who needs hundreds of thousands of names if only a small percentage of them are even interested in your products or brand? Wouldn’t it be better to engage with fewer people if they are the ones most likely to buy? It would certainly yield a better ROI.
A few brave souls such as JD Wetherspoon have adopted the radical approach of starting from scratch. And I applaud it. They can be confident the data they hold is compliant, but more importantly they can be confident that they will be talking with people who actively want to talk to them. The dialogue should be more rewarding for both parties as a result.