On 14th April the European Parliament approved the General Data Protection Regulation (GDPR) text. For many organisations that are already on the path to ensuring adherence to the new ruling, this announcement will not be a cause for concern. However, for those that are behind schedule, or are yet to begin preparations, then I suggest sounding the alarm.
The aim of the GDPR is to support consumer rights and at the same time provide clarity for businesses, by establishing a single law across the EU.
What worries me is that there is a misunderstanding in the industry that just because the GDPR does not become enforceable until July 2018, it means they are safe from being penalised between now and then. This is not the case, even if there is a Brexit! Organisations need to be aware that If a significant number of complaints are lodged then a company is likely to find itself on the receiving end of a substantial fine from the Information Commissioner’s Office (ICO), and in the firing line from the national media, bringing with it further reputational damage.
The truth is, all the 2018 date really means is that a company could be singled out if they fail to comply, even if they have not received any complaints. But let’s be realistic, are companies really going to be flagged for investigation if they have not been complained about? The 2018 enforcement date is a misnomer and organisations dragging their heels need to pick up the pace and focus.
The GDPR warrants close inspection but some of the key questions you need to ask yourself are…
- You have the appropriate consent for each data subject
- You have an adequate retention policy
- Your suppression processes are timely and robust
- Your database records consent and engagement dates and location, consented categories and channels
It is important to note that brands and agencies alike must take responsibility for conducting their own adequate due diligence.
My advice to all that will be impacted by the GDPR (and that is every EU organisation with customers!) is to focus on the here and now, don’t think of it as a two-year grace period (it isn’t) get compliant as soon as possible.