Bob Wootton: Don’t bet on GDPR offering the same lenience as the ‘cookie law’

In 2012, confusion reigned before the ‘cookie law’ came into force, but while no one knows how strictly GDPR will be enforced after 25 May, there’s plenty of advice available to act on now.

GDPRA recent email from my independent financial adviser reminded me of the scale of the task GDPR poses for any business that holds data, however small.

A seven-page questionnaire confirming my permissions to use and store my data – with reference to third-party, independent data compliance consultants – all the while making clear that they would not be able to advise me further unless I granted my permission.

READ MORE: GDPR: Five questions marketers must answer before May

Put simply, GDPR gives power back to individuals to access the information which companies hold on them. It also prescribes how companies must process, store and protect that data.

Yet a recent survey by the Institute of Directors indicates that one third of British business leaders are still unaware of it, a view confirmed by cyber security consultants NCC.

Many companies holding and using customer data are going to have to take action similar to the email I was sent, and both the costs and the opportunities for customer exasperation are legion.

Specialist advice will get very stretched, and likely pricey, as the deadline approaches.

A number of commentators have rightly suggested that people will simply ‘white out’ after a few such requests. This will mean that their data can no longer be used and that we may re-enter a world where companies are blind and customers forego the relevance of targeted communications.

Then again, we already have many situations where we are asked to agree to very lengthy legalese T&Cs when signing up for things. Think iTunes, Facebook et al, and remember that most people haven’t even read the small print on their mortgages, insurance or car lease contracts.

Contrasts with the cookie law

Although the current data protection legislation has been in place since 1998, the last time we saw a major change in the regulations surrounding data and its misuse was in 2012, when the Information Commissioner’s Office (ICO) introduced stiff penalties for the first time in response to changes to the Privacy and Electronic Communications Regulations – also known as the ‘cookie law’.

At that time, confusion reigned – so much so that details of the eventual rules didn’t emerge until hours before implementation. A number of companies, including some very big advertisers, caught a cold, having changed their systems in anticipation of rules that didn’t materialise as they had expected.

This time it’s rather more orderly, so you can be sure of what you’re going to have to deal with. However no one yet seems to have a clear view on how soon the authorities will flex their muscles and initiate prosecutions. Some believe there will be a grace period – thought it won’t be long, maybe three months. I’m in this camp.

READ MORE: The ICO preps campaign to educate consumers on data and GDPR

However, other experts believe that implementation will be swift and that the ICO will be looking for a few early and very public scalps – maybe a nice juicy bank or insurer. If you’re a big company with heavy consumer data use, best make sure your house is in order just in case.

Start with the horse’s mouth first. The ICO has itself prepared a 12-point checklist which you can access here. The Internet Advertising Bureau has also drafted useful guidance.

Most corporate law firms have dedicated teams and yours is unlikely to be an exception. Can’t blame them for spotting an opportunity. And specialist consultancies have emerged too.

So if you’re already a long way down this road – as you should be – well done. You’re unlikely to get many nasty surprises.

If you’re only just started, great, but you’d better crack on as specialist advice will get very stretched, and likely pricey, as the deadline approaches. If you haven’t, it’s probably not too late if you begin to act now.

Bob Wootton is Principal of Deconstruction Consulting and was formerly a director of ISBA.

Hide Comments3 Show Comments
  • JP Arnull 5 Mar 2018 at 8:30 am

    This is going to be a nightmare for small businesses. Imagine Company A, turnover half a million, who have built up a customer base (professional) over 50 years of some 5000 names.
    Equally look then at the Terms and Conditions of Facebook, Amazon etc who now veil this somewhere in 40 pages of terms. They should be made to contact their customer base on this specific issue, then maybe, every time I buy something on line e
    I will be spared all the adverts for similar immediately afterwards.

  • Pete Austin 5 Mar 2018 at 10:32 am

    Re: A seven-page questionnaire confirming my permissions to use and store my data – with reference to third-party, independent data compliance consultants – all the while making clear that they would not be able to advise me further unless I granted my permission.

    That is not compliant with the GDPR
    (1) That requires, “any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language”.
    (2) Any threat to stop advising you means that your consent is not freely given. “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

  • Pete Austin 5 Mar 2018 at 10:35 am

    ^ in summary it seems that your IFA should be relying on Legitimate Interests, not consent, because any attempt to get consent will likely by invalid.

  • Post a comment

Latest from Marketing Week


Access Marketing Week’s wealth of insight, analysis and opinion that will help you do your job better.

Register and receive the best content from the only UK title 100% dedicated to serving marketers' needs.

We’ll ask you just a few questions about what you do and where you work. The more we know about our visitors, the better and more relevant content we can provide for them. And, yes, knowing our audience better helps us find commercial partners too. Don't worry, we won't share your information with other parties, unless you give us permission to do so.

Register now


Our award winning editorial team (PPA Digital Brand of the Year) ask the big questions about the biggest issues on everything from strategy through to execution to help you navigate the fast moving modern marketing landscape.


From the opportunities and challenges of emerging technology to the need for greater effectiveness, from the challenge of measurement to building a marketing team fit for the future, we are your guide.


Information, inspiration and advice from the marketing world and beyond that will help you develop as a marketer and as a leader.

Having problems?

Contact us on +44 (0)20 7292 3711 or email

If you are looking for our Jobs site, please click here