GDPR: What we’ve learnt in the past 12 months

How are you feeling about GDPR these days? Better? Or are you still breaking out into a cold sweat every time you see those letters – even now, twelve months after the EU data-protection regulations were introduced?

This time last year you could hardly go online without being bombarded by articles, emails or social posts warning you of impending doom and multi-million-pound fines if your business failed to properly secure its data or enforce the new, stricter privacy rules.

A lot of those warnings were hyped up – particularly if they were from a company trying to sell you something – although it’s still too early to be sure if apocalyptic predictions will come true for many businesses.

All the same, we certainly know a lot more now than we did last May about how businesses like yours are responding to GDPR and how the regulators are applying the rules. So, with the help of Cognition24’s Commercial Director, Tim Chisnall, and a few of our expert friends, here are the top ten things we’ve learnt about GDPR so far…

1. There’s actually an upside to GDPR (if you get it right)

Or at least, there can be if you see GDPR as an opportunity, says Dan Kurk, Director of Sales Operations at CartAssist, a provider of digital customer engagement solutions. “I think GDPR has been a much-needed reality check for some organisations with regard to how they’re holding their customer data – especially historical and expired data – as well their house-keeping around personal details,” he says.

“Most businesses that we’ve worked with have been open to the change and understand why it’s necessary,” he adds. “So the upsides are all based around those who interpret and use GDPR correctly. With many companies purging their marketing lists, it leaves great opportunity for companies who understand how to navigate through GDPR correctly.”

What’s more, getting it right can be a positive boost for your business brand – and the more transparent you are about how you use your customers’ data, the better. “Consumers are becoming much savvier about how organisations look after their personal information,” says Brian Craig, Legal Director at law firm TLT. “So being transparent about how personal data is being used and protected allows businesses to build trust and engagement with consumers. Also, having a solid data protection compliance programme is something investors will consider when assessing the value of a business.”

2. There’s no need to over-react

It appears that some companies have panicked and hit the delete button a little too quickly… “You should treat GDPR compliance as an evolution, not a revolution,” advises Tim. “Getting the basics right – of managing your customers by communicating with them and respecting their preferences – will ensure you won’t go too far wrong.”

“We’ve definitely seen a lot of organisations over-react to GDPR,” adds Dan. “They’ve either completely destroyed good data through fear or even presented their customers with incorrect information around opt-in and how they can and cannot communicate with them in the future.”

Dan also agrees that transparency is the most important thing. “The way in which you communicate with your audience hasn’t changed, you just need to be clear about how and why you’re speaking with them and that you require certain information in order to do so.”

3. Certain tech companies need to get their game in order

“The most difficult aspect of GDPR in my personal experience has been waiting for certain software vendors to update their own platforms and provide guidance on using this new functionality,” says Dan.

“It’d be unfair to name names here,” says Tim, “especially as cloud vendors are regularly pushing out updates to improve their offering and keep up with regulatory requirements. The best bet is speak to an expert consultant, who’d be able to guide you through some of the best options and warn you of any potential pitfalls.”

4. SMEs aren’t likely to land Google-sized fines

“Leaving aside the recent €50m levied against Google by France’s regulator, when it comes to smaller companies, the majority of fines issued so far have been relatively low, for breaches of traditional old regime requirements,” says Brian.

“And the expectation that regulators would adopt a machine-gun approach against any company that has failed to get completely up to speed with the new requirements has not yet materialised,” he adds. “This should not, however, be reason for smaller companies to completely ignore areas of non-compliance – it only takes one individual to complain for the UK regulator, the ICO, to come asking questions.”

And don’t necessarily expect to be treated differently just because you’re a smaller operation than Google. “The ICO takes a risk-based approach to data protection issues,” explains Brian. “It’s not so much the size of the business but the risk of harm to data subjects that is of concern. That said, larger organisations are certainly under more pressure to avoid appearing in the media for data breaches involving thousands or even millions of customers’ information.”

5. You really, really need a Data Protection Officer

And you need to ensure they’re a key member of your team who will help to bake in best practice from the start, while taking personal responsibility for ensuring you stay on the right side of the law.

“For SMEs, it’s around making sure that you have assigned to a member of staff the responsibility of being your Data Protection Officer,” says Dan. “I’ve seen many businesses relying on outside consultants to help shape GDPR policy. This leaves them exposed, as nobody in the business is responsible for compliance once the initial policy is set.”

Brian agrees. “The biggest lesson is to keep data protection front of mind from the beginning of all new projects,” he says. “It’s much more difficult to retrospectively ‘fit’ data protection into existing workstreams – as many businesses found when first implementing the GDPR. Consider data protection elements and mitigate any risks at the start of a project to avoid potential pitfalls down the line.

“A record of processing is a useful document for having oversight of all the ways personal data is being used in your business and is a good place to start,” he adds. “Ensuring all your policies and privacy notices are up to date is also key – both in terms of GDPR compliance and it being an accurate reflection of the way your organisation is using personal data.”

6. Don’t think Brexit will let you off the hook

“Deal or no deal, Brexit or no Brexit, the same rules will apply,” warns Tim. “The UK government is committed to replicating the full set of GDPR regulations in UK law, however our future relationship with the EU turns out.”

7. GDPR isn’t just about your customer data

It’s about your employee data, too. “Almost everyone I’ve spoken to about GDPR has been focused on the customer and the use of marketing data,” says Dan. “But companies also need to remember that GDPR covers personal data processed or handled across the business in any capacity – including their own staff. While a lot has been done already, I believe most businesses still have work to do to be completely compliant in that respect.”

8. GDPR could be the next PPI

“You might not be on the radar right now,” says Tim, “but because GDPR is so high profile these days, I think it won’t be long before we see consumer rights organisations highlighting data breaches, misuse of data, and so on. I wouldn’t be surprised if the PPI firms, as their ability to operate draws to a close, move into what could be a lucrative space new space for them.”

9. There’s still lots to do

“GDPR has put data and privacy firmly on the agenda for most small businesses,” says Tim. “That’s a good thing, of course, in terms of both doing the right thing by your customers and using your data to make smarter business decisions. But there’s still lots more that most companies need to do to keep up the good work in the way they communicate with their customers and ensuring they continue to respect their communications preferences.

“A good place to start would be to run a data health check and test your ‘audit-ability’ – that is, how would you perform if the ICO came knocking on your door tomorrow to see how compliant your organisation is?”

10. Marketing teams are working harder and still confused …

Tanja Mitchell, a Sales and Operations Consultant believes that “marketing teams have been forced to work harder since the introduction of GDPR, particularly in relation to how they obtain target lists”. Lead generation is, therefore, more measured and targeted, often resulting in a better return.

And there’s still confusion over what is meant by “Legitimate Interest”. Some businesses seem to believe that this allows them free reign, without worrying about consent to use personal data, providing their reason for using the data is genuine. This could be because one example cited by the legislation is direct marketing. However, if you consider GDPR in conjunction with other legislation relating to direct outreach, such as the ePrivacy Directive, it’s clear that how you obtained personal data for marketing purposes, and the need for opt-outs still apply.