A recent email from my independent financial adviser reminded me of the scale of the task GDPR poses for any business that holds data, however small.
A seven-page questionnaire confirming my permissions to use and store my data – with reference to third-party, independent data compliance consultants – all the while making clear that they would not be able to advise me further unless I granted my permission.
Put simply, GDPR gives power back to individuals to access the information which companies hold on them. It also prescribes how companies must process, store and protect that data.
Yet a recent survey by the Institute of Directors indicates that one third of British business leaders are still unaware of it, a view confirmed by cyber security consultants NCC.
Many companies holding and using customer data are going to have to take action similar to the email I was sent, and both the costs and the opportunities for customer exasperation are legion.
Specialist advice will get very stretched, and likely pricey, as the deadline approaches.
A number of commentators have rightly suggested that people will simply ‘white out’ after a few such requests. This will mean that their data can no longer be used and that we may re-enter a world where companies are blind and customers forego the relevance of targeted communications.
Then again, we already have many situations where we are asked to agree to very lengthy legalese T&Cs when signing up for things. Think iTunes, Facebook et al, and remember that most people haven’t even read the small print on their mortgages, insurance or car lease contracts.
Contrasts with the cookie law
Although the current data protection legislation has been in place since 1998, the last time we saw a major change in the regulations surrounding data and its misuse was in 2012, when the Information Commissioner’s Office (ICO) introduced stiff penalties for the first time in response to changes to the Privacy and Electronic Communications Regulations – also known as the ‘cookie law’.
At that time, confusion reigned – so much so that details of the eventual rules didn’t emerge until hours before implementation. A number of companies, including some very big advertisers, caught a cold, having changed their systems in anticipation of rules that didn’t materialise as they had expected.
This time it’s rather more orderly, so you can be sure of what you’re going to have to deal with. However no one yet seems to have a clear view on how soon the authorities will flex their muscles and initiate prosecutions. Some believe there will be a grace period – thought it won’t be long, maybe three months. I’m in this camp.
However, other experts believe that implementation will be swift and that the ICO will be looking for a few early and very public scalps – maybe a nice juicy bank or insurer. If you’re a big company with heavy consumer data use, best make sure your house is in order just in case.
Start with the horse’s mouth first. The ICO has itself prepared a 12-point checklist which you can access here. The Internet Advertising Bureau has also drafted useful guidance.
Most corporate law firms have dedicated teams and yours is unlikely to be an exception. Can’t blame them for spotting an opportunity. And specialist consultancies have emerged too.
So if you’re already a long way down this road – as you should be – well done. You’re unlikely to get many nasty surprises.
If you’re only just started, great, but you’d better crack on as specialist advice will get very stretched, and likely pricey, as the deadline approaches. If you haven’t, it’s probably not too late if you begin to act now.
Bob Wootton is Principal of Deconstruction Consulting and was formerly a director of ISBA.