GDPR has been looming for a while now, but today it is on our doorsteps. It’s not just soon; it’s tomorrow. Is it time to panic, as seems to be the prevailing belief? No, definitely not! Whether you have started your transformation programme or not, here is some advice for this week:
Although we are all being bombarded with re-consenting emails, if you have assessed your contact database and have decided, using the ICO guidance, that you are compliant up to GDPR standards (helpful blogposts on that here, here, and here even if I do say so myself) don’t feel pressured to follow suit as it will likely mean a huge blow to your contact list for no compliance gain.
It does seem as though a few organisations are sneaking through consent emails to people who they only had either a tenuous relationship in the past, or no relationship at all (I can say I've personally had a few from companies I've never heard of!), and although it can seem a tempting strategy to use to bump marketing list numbers up, any complaints received by the ICO during this time will still be looked at (although likely a bit late) so the risk of being found to be in breach by the ICO and being fined for it is still present.
Ignore the Journalists
Ignore absolutely all reporting from anywhere which isn’t from an information law expert. As awareness that people have to do something to do with data protection increases, as does reporting on it. However it is a complex subject, and a lot of the nuance has been lost by reporters. This means editorial oversights, and plain mistakes from respected sources are rampant. To name (and shame) a few:
I could go on for days listing mistakes from well-meaning journalists, as almost every article I have read includes glaring inaccuracies. However, it’s advisable to ignore them altogether to avoid spinning out in a panic. Various negative outcomes can arise from reading them and taking them seriously: From undoing hard work already undertaken because you have read in multiple sources that the measured path you have taken is incorrect, to making rash decisions about what needs to be done going forwards if you haven’t started your change programme yet.
If you have yet to get your change programme in place to uplift your organisation to GDPR standard, hopefully all the emails and hype about it this week will help push the need for it internally. However, it is highly unlikely you will be bombarded with rights to erasure requests come Friday, so prepare for the change programme using reliable sources and your knowledge of your organisation, rather than attempting to enact it in a panicked few weeks (or even days). Rushed compliance will lead to mistakes and may be costly for several reasons: In overdoing it (not all of your systems will need APIs to adhere to data portability requirements! Possibly none will), underdoing it (doing a rush job of it now will likely mean less interest or funds to become compliant later), or doing it wrong (take your time to take stock of what information you have, what requirements apply to you, and how to implement it into your business in a way which will fit into your culture).
Yes, GDPR is a 'big deal', and yes it is here tomorrow, but there is no need to panic. Especially if your own change programme is well underway!