So May 25th has come and gone. After a last-minute surge, you have stopped receiving those privacy notices (mostly), your junk email may have even gone down in volume – although the spam you really are fed up with is probably still there. So GDPR was a success, right? Now it’s back to business as usual…
I would argue that anyone who subscribes to this view is largely missing the point of what GDPR was actually set up to do. Let’s understand why it was created and what GDPR holds for us going forward.
What is GDPR actually all about?
Now we have had time to process all of the information which came at lightning speed from every source possible, we have all come to realise that GDPR was not intended to be a one off shake up of data protection policies and procedures – it is about keeping data safe. A good comparison is with the introduction of the Health and Safety in the workplace laws in the 1970s. Now, we all think about keeping our staff safe not just about being ‘health and safety’ compliant, in fact, we often won’t deal with organisations with a poor health and safety record.
Think about that in the context of personal data. Would your company retain its clients if they had concerns about how their data is looked after? Unlikely, after the recent high profile privacy scandals. So as the profile of data protection grows, the requirement on firms to demonstrate their credentials inevitably will too.
Is GDPR the next PPI?
There are a lot of scare stories about the size of fines possible under GDPR but for most SME firms trying to abide by the rules, this should not be a concern. Even under the previous data protection laws (where the limit on fines was much lower) the maximum fine was never levied. In fact, one of the biggest worries comes from the legal profession itself, more specifically the plethora of highly litigious compensation claims firms which have grown in number in recent years.
These organisations are currently busy pursuing PPI claims; but this source of revenue will soon end. GDPR states that any person who has suffered damage from a breach in the legislation should be entitled to compensation. The number of individuals who can be involved in a single data breach plus the ICOs policy of naming and shaming businesses to whom compliance notices are issued, looks like a match made in heaven for compensation claims firms.
Is the risk of Cyber Extortion high?
Firms who hold large volumes of personal and sensitive data and rely on the market reputation to maintain and secure business, could be the target of ransomware attacks. Criminals could prey on the likelihood that these firms would prefer to pay a ransom for the return of their data, rather than risk the fine. Unfortunately that puts legal practices directly ‘in the firing line.’
How will it affect your marketing going forward?
A great deal of confusion remains around marketing activities under GDPR, which is mostly due to misinformation from individuals who do not fully understand the regulations. In fact, GDPR does not make any changes to the regulations governing electronic marketing, although the lawful basis on which you may be able to market to individuals have been updated.
The existing Privacy and Electronic Communications Regulations (PECR) continues to run alongside GDPR which, in brief, allows you to market to corporate subscribers without consent as long as they can opt out, but this does not apply to individual subscribers. Come 2019 and the introduction of the new EU ePrivacy Regulation, this may need further review.
The good news!
GDPR ultimately makes it easier for you to know who to trust and who to do business with. Companies who are proactive and confident in their compliancy are likely to shout about it within their marketing campaigns. It is a fantastic way to differentiate themselves from their competition and to earn the ongoing trust of prospective and future clients.
So, let’s forget about the term ‘GDPR’ and focus instead on ‘personal data security.’ As the general public’s awareness of personal data security continues to grow and becomes more of a normality in everyday life, businesses and individuals will now select who they trust to work with based not on reputation, but on how well they look after their clients’ data.