Bradley Geppert, Managing Director, DS Compliance and member of the IoD, takes a look at how business has responded to the introduction of GDPR
We’ve been helping SMEs to adjust to the new ‘GDPR Way’ of doing things for many months now and thought it would be timely to offer some thoughts and observations on how well business has handled the major change in data collection and handling. Our clients, drawn from various sectors, including property, accountancy, charities, publishing and hospitality, have one thing in common: they are unlikely to attract massive fines from the ICO. The scaremongering before implementation – and subsequently – has been ridiculous, inaccurate and unhelpful.
Most clients, when we first meet them, have been whipped up into a panic and it can take a while for the facts to overcome the fear.
So if avoiding fines isn’t the reason to do something about the GDPR, even now, what is? In our experience, what really compels SMEs to do something about the GDPR is having the ability to do business with others. Many clients have received requests from larger organisations asking serious questions about how they treat personal data. If you’ve not asked yourself those questions, you stand no chance of being able to answer and will be less competitive as a consequence. Asking those questions of your own organisation is the key to being able to adjust to the GDPR standard. The overarching principle is accountability so if you don’t know what data you have, where you got it from, how you protect it and where you send it, etc, how can you possibly demonstrate accountability?
Being compliant isn’t about having a shiny certificate or a brilliant privacy statement – it’s something you do every day. It’s being genuinely committed to protecting Data Subjects’ rights. Some companies have still not ‘got it’ – even very big ones who can afford expensive lawyers and PR teams. The concepts of ‘legal basis’ and ‘legitimate interest’ have been misunderstood widely, especially where the legal basis of consent for marketing communications is concerned. This is, admittedly, a complex area – but why did we receive five separate re-consent emails from one major department store when we are quite clearly people who have qualified for the ‘soft opt-in’ consideration, as outlined under PECR Article 22? If people are still getting it wrong, perhaps it’s another reason not to panic, while clarity emerges over the next few months.
What is true is that people really care about what happens to their data. We’ve quipped in various seminars that data is a really boring subject that gets very interesting when you delve into it a bit, but then very boring again when you look even closer and have to go through someone’s hard drives looking for rogue spreadsheets. Nevertheless, when we’ve done training sessions, what really engages people is approaching the topic from their perspective. The impact of a listening device in the home such as Alexa is quite massive, for example, and when people really grasp the enormity of the potential consequences of giving up their personal data, they understand just why we need the GDPR.
To discuss this article further, you can contact Bradley via: firstname.lastname@example.org