Desperation sets in as GDPR deadline looms

With GDPR coming into force in the UK in less than a month’s time, experts have warned that as time ticks away the number of inquiries to the ICO and legal firms is increasing.

At a roundtable hosted by the Direct Marketing Association (DMA) earlier this week to discuss where organisations are in terms of compliance with the forthcoming EU regulations, it appears that many companies are still struggling to ensure they are fully compliant with the law.

A pragmatic approach

According to Richard Sisson, senior policy officer at the Information Commissioner’s Office (ICO), the number of questions concerning GDPR as the deadline approaches, has increased “dramatically”, and appears to be only getting worse.

However, he said the ICO is “still trying to be a pragmatic organisation”.

“We understand compliance is not always going to be immediate. We are also trying to say that we don’t expect May 25 [to be] ‘that’s the end, you’re done now, you can forget about GDPR, it’s gone’. It’s an ongoing thing.”

He said the ICO has been reassuring businesses who are struggling to comply, that if they can prove they are working towards the accountability principle within GDPR, this would be taken into consideration. “I’m not going to say we will be entirely happy about that, but we understand that.”

He added: “We want to reassure people that we are not suddenly going to issue large fines on the 27 May. We do take into consideration the work being done towards [compliance]”.

“We’re not here to take people out of business”

Sisson added that the ICO wasn’t out there to “take people out of business, we just want business to realise how important data protection and privacy are and to take care with sharing data”.

This was echoed by Chris Combemale, chief executive of the DMA. “May 25 is not like Y2K, it is not a sprint and if you are compliant, and you don’t have to do anything for the next ten years.

He added that GDPR was a way of thinking about your customer and business that is “permanent and long term”.

Getting started and finding out what is important

If retailers and marketers haven’t started dealing with GDPR, then they will need to find out what the most important thing for them to do is and start there, according to Richard Merrygold, director of group data protection at UK domestic repairs business HomeServe.

“It is having a good basis for consent, it is having somebody in place who can advise your business, is it about going out and re-consenting and it is doing your data mapping and understanding where all your information is,” he said.

Merrygold added that if a company is generally good at data protection, “you’re probably going to be okay with GDPR”. He added that while the bigger companies are very well prepared, his main concern was the SMEs, “who have never really had to think about data protection and are now having to think about the whole of GDPR.”

Everyone suddenly wants to know what’s going on

With a month to go, it may seem rather late to only now start worrying about GDPR, but that is what is happening. According to Robert Bond, a partner at law firm, Bristows, he has been fielding around six inquiries a day from companies wanting to know how to comply with the forthcoming regulations. And non-EU companies are finally waking up to the fact that these rulings will also affect them.

He said that three calls came in from US firms telling him they don’t have anything in place but now realise that these rules apply to them and then ask for a “quick-fix solution”.

“I think there's an awful lot of businesses out there, particularly outside the EU, that have suddenly realised the extra territorial nature and that's come as quite a shock. They are assuming it's a tick the box exercise, which of course it isn't."

Bond then warned companies that once the rules kick in, he predicts a huge spike in consumers requesting access to their data. He said privacy groups will use this right to find out if companies are taking the appropriate actions.

“There is no cost. And then once they’ve found what’s going on about them, then there will be the rights of erasure request, the portability requests,” he said. This, would lead to some well publicised events post-May and potentially some legal action by consumers.

“The businesses that proactively reach out and say ‘you should trust us’ because we take a proactive, ethical approach, are going to manage the storm better than those pretending it isn’t going to happen,” concluded Bond.

What’s Hot on Essential Retail?