A study by DMA group, formerly the Direct Marketing Association, has revealed that more than 40% of UK marketers say their business is not ready for changes in the forthcoming General Data Protection Regulation (GDPR).
What Is GDPR?
GDPR will come into force in May 2018. This new Regulation replaces the EU Data Protection Directive of 1995, and the focus of GDPR is on ensuring that businesses are transparent and protect individual privacy rights. The Regulation from the EU, which consists of 99 articles, covers data that is produced by an EU citizen, whether or not the company is located within the EU, and it covers people who have stored data within the EU, whether or not they are EU citizens.
The DMA Group Study Results
The recent DMA Group Study asked 197 (B2B) and consumer-facing companies their thoughts about GDPR and found that while more than half of companies (56%) feel that they are on track with their GDPR plans, 17% feel that they are behind and 15% still have no integrated plan.
16% of respondents themselves in the study were reported as saying that they felt extremely or somewhat unprepared for GDPR, and 31% felt that their whole organisation was extremely or somewhat unprepared.
What’s The Problem?
One of the biggest concerns of the companies surveyed was about the definition of consent (28%). Consent under GDPR, for example will have to be unbundled i.e. consent requests are separate from other terms and conditions, granular (a thorough explanation of options to consent must be given), named (state which organisation and third parties will be relying on consent), and documented (keeping records of how consent was gained).
Consent will also have to be easy to withdraw, and under GDPR implied consent will disappear. These complications around consent and the possible legal consequences of getting things wrong are clearly a concern for UK companies.
Worries about GDPR also appear to be growing in businesses as the deadline looms. The study showed for example, that 64% of marketers believed their organisations will be either very or extremely affected by the regulation, compared with 54% in May.
Some commentators have highlighted a possible positive perspective on GDPR as a catalyst to transform the way organisations speak to customers, and as a way of addressing issues in data protection that they may have had for a long time.
The recent Equifax data breach, where 143 million customer details are thought to have been stolen, and where serious questions have been asked about the company’s conduct in handling the breach, has brought data protection into even sharper focus prior to GDPR and has reminded companies that they have to notify customers of a problem early on.
What Does This Mean For Your Business?
Warnings about the importance of GDPR preparation have been cropping up in the news for more than a year, and successive studies have revealed how businesses have felt unprepared and worried by the complications of the subject, or are simply in denial. One of the key challenges for companies in addition to getting an understanding of consent issues is making sure the technology is in place to help deal with data in compliant way e.g. having the ability to purge or modify data, search and analyse personal data to uncover explicit and implicit references to an individual, or accurately visualize where data is stored because the repositories are not clearly defined. Some technology products are now available to help deal effectively with data, and many tech commentators believe that developments in AI and machine pattern learning / deep learning technologies will be able to be used by companies in the near future to help with GDPR compliant practices.
At this late stage, companies need to press on with and get to grips with GDPR and its implications, perhaps seeking professional advice to highlight which areas are most legally pressing. Taking a positive perspective, not only is compliance with GDPR necessary, but it could actually make sound commercial sense, through providing competitive advantages (because data security is valued by customers), and could have knock-on effects to the cyber resilience of companies.
Companies that have been proactive and moved quickly on this issue could therefore be the ones most likely to minimise the threat of penalties (the law profession is already geared-up to respond to customer complaints), and gain advantages in a marketplace.