GDPR – 12 months to go, 12 things to think about (Part 1 of 4)

So, here we are. There are less than 12 months to go to the implementation date of the new General Data Protection Regulations (GDPR) on 25th May 2018. It would be great to say that all UK businesses are well on their way to being ready, but data from the DMA released at an event this morning tells a different story.

Marketers are feeling less confident about GDPR than they did in February when 68% of businesses said they were ‘on course’ or ‘ahead’ of plans to be GDPR compliant by May 2018. Since that survey, the ICO and the Article 29 Working Party have issued guidance and discussion documents bringing businesses greater clarity around what GDPR compliance will entail. This greater clarity has caused respondents to reassess their positions:

• Only 55% of companies feel they are now ‘on course’ or ‘ahead’ of plans to meet the May 2018 deadline versus the 68% in February.
• Marketers perception of their knowledge as ‘good’ rather than ‘basic’ has also slipped from 66% to 59%.
• Marketers sense of being ‘extremely’ or ‘somewhat’ prepared has fallen from 71% to 61%.

What has not changed is marketers’ four big GDPR-related concerns:

1. Consent
2. Legacy Data
3. Implementing a compliant system
4. Profiling

There are twelve things that you might want to be thinking about to get you started. The first three are raising awareness, conducting a data audit and reviewing your privacy notices.

1. Awareness

If you are the only person in your organization that is thinking about GDPR, you could be in big, big trouble. This is a major change to the legislative regime in which your business operates, so not only do key people need to be made aware of the revisions your business will need to make, they also need to be made to care.

As one of the speakers at this morning’s DMA event pointed out, good data practitioners already have the proper use of data on their radar; many of the requirements of GDPR could therefore be considered business as usual. By stressing that this data attention is now in favor of helping the business comply with the new GDPR regulations, you may be able to obtain more budget for your undertaking.

While I am sure this is true in some cases, I know that for many companies, GDPR will represent a radical change in how they do business. It is critical that senior management is made of the impact sooner rather than later and that all members of staff are trained and brought up to speed on the changes over the next twelve months.

2. Data Audit

While you are running your internal PR campaign, you can also be talking to all of the people that have data bases squirreled away here, there and everywhere; and start auditing each of these. Among other things, you need to fully document:

• What data you hold
• Where you obtained it
• When it was acquired
• How often it is updated
• All of the places it is stored within your organization
• How the data flows from one place to another
• Who has access to the data throughout its journey
• How it is stored
• Where it is stored
• The retention policy for each datum

3. Privacy Notices

One of the things that will most likely have to change for most UK businesses under GDPR is their privacy notices. Being open, honest and transparent with consumers about what data you are collecting, why, how you will be using it and how you will take care of it has been a core principle of data protection law since the original Data Protection Act of 1998. What has changed, however, is that the legislators feel that data owners have not always done this to the best of their ability, so they have given marketers more detailed instructions as to what openness, honesty and transparency entails in practice. The Information Commissioner’s Office (ICO) has released a great code of practice on privacy notices.

Check out our second installment of GDPR: 12 things to think about.

Editors note: The materials and information above is not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.