A few days on from the enforcement of the GDPR and the world hasn’t collapsed! Although there have been rumours of massive fines for the likes of Google and Facebook, there have not been confirmed cases as yet.
Due to the vagueness of the GDPR articles, accompanied with the vast scaremongering around significant fines, consent requirements and rapid data breach notification deadlines, there has been a GDPR panic as to the implications on business. Our advice has always been to take a pragmatic approach to meeting compliance tailored to the nature of the business. Organisations should be rational and ensure their main sources of data privacy risk are protected with higher security measures, whilst taking a more relaxed approach with lower risk areas.
Turnkey has been exhibiting at events either side of the GDPR effective date and it’s been interesting to compare notes with other exhibitors on how different companies have interpreted the legislation. The response has been very mixed, ranging from total blocking of all contacts known to be EU / UK entities to a completely unchanged approach to lead generation and prospecting activities. In some cases, organisations have tied themselves up in knots in their attempt to demonstrate total compliance with both the letter and spirit of the regulation.
We have made minor updates to our behaviours at conferences and events but not fundamental changes. We have been more discerning with the ‘scanning’ of delegates by qualifying the conversations to understand whether there is real value in taking down their contact details. We have also focussed on clarifying consent through the conversations and transparency of what the intended use is for the information. We recognise however, that making direct contact with new prospective customers and delivering quality content that is appropriate and relevant to them is fundamental to what we do as a growing business.
It is important to remember the regulation hasn’t been enforced to hinder business. Rather, it is to ensure organisations manage personal data more responsibly. Therefore, rather than impeding productivity, the GDPR should encourage organisations to develop their existing policies and procedures, cleanse data repositories and develop trust with their customers by demonstrating transparency with their data processing.
The GDPR is an evolution not a revolution. Many of the data privacy principles are unchanged from the 1998 Data Protection Act. Transparency, data minimisation, integrity and security of data processing are all principles that companies should already be doing under the previous Act. Further, many organisations should have strong data privacy policies and procedures in place, therefore organisations should seek to improve these existing policies rather than looking to start from scratch.
Although a source of great panic to many organisations, the GDPR effective date has been a very useful milestone to drive activities that could easily be missed. Certainly we have used the deadline as an opportunity to reinforce privacy considerations and to perform clean up actions that would otherwise have been easily put off.
Data Protection Authorities are not looking to catch organisations out. The focus of the GDPR is not the fines - it’s about shifting control back to the consumer. As long as companies can demonstrate adequate technical and organisational measures were taken to ensure data protection, the authorities will show leniency to non-compliance.
Going forward, organisations must take a realistic approach to implementing data privacy requirements under the GDPR. While authorities do have the power to inflict significant fines, their approach is to guide, help and educate organisations to achieve compliance. Companies should see the GDPR as an opportunity rather than a hamper, which will benefit both the organisation and individuals.