GDPR probably won't decimate businesses but it might leave some burned

We discuss what GDPR might mean in practice

The impending threat of GDPR is giving European marcomms professionals an excellent boost. Now there is a plenty of spurious web research to be delivered for a wealth of “Shock! 92% of businesses are not prepared!” headline stats.

The reality is probably a little bit more nuanced than this blanket panic picture being presented. But GDPR is new – pretty stringent, with some hefty fines – and has the potential to have a big impact on a lot of global businesses. However, there is no real reason why any should come truly unstuck providing they are prepared and have not been taking a morally dubious an approach to individuals’ data in the first place.

The first most striking thing that seems to get forgotten about with GDPR is that this European ruling impacts any business that deals with European citizens’ data. This means that while in Britain and Europe the concerned headlines are frantically doing the rounds, this is still largely under the radar of international firms based outside the region. It seems likely that this could cause some difficulties in the run up to May 2018.

The second thing that seems to emerge most strongly is that while there is a lot of talk about specific rulings – like right to be forgotten – what might prove the biggest fundamental challenge for many businesses is knowing exactly where their data is, so they can comply. This is not, therefore, so much about ticking the necessary legal boxes but about getting a true handle on their data, which may be duplicated for testing, stored with third party partners or simply transferred willy-nilly across employee devices so they can work remotely.

Yahoo! – and the other “we were breached years ago and only found out last week” reports emerging with alarming alacrity – just go to show how little clue many large companies have about their data. I suspect a great chasm of irony exists between the shiny sales collateral which proudly proclaims many a “data business” and the real-life scrabble of replicated Excel spreadsheets manually updated and emailed at random by poor saps on the minimum wage. There may be fundamental cultural issues that need addressing here in many organisations.

It seems likely that businesses that have already been regulated to the hilt – like financial services – may, in some ways, have a tougher time complying with GDPR, but because of the nature of their business are already well on the journey. These types of companies either have explicit financial worth in their data or Intellectual Property that has a clear market value. This direct monetary figure on the data means most already have clearer storage and handling processes and are better prepared to tackle security breaches.  

GDPR is pretty categorical for an EU regulation but as it is brand new there is still quite a bit of uncertainty around how the rules might be interpreted in practice. Stipulations like individuals must provide ‘explicit consent’ for the use of data could mean a number of things and these types of grey areas might have a serious impact on industries like marketing. This often has a somewhat lax approach to data and privacy, and often sees employees stalking individuals round the web and harvesting their details off social media.

This new focus on individual rights can, in turn, breed a different kind of panic in businesses with concerns that whole industries – those which build their revenue on gathering and selling data – could be entirely decimated by the ruling. Yet this type of concern is probably a little premature. As long as businesses are prepared – have a handle on their data – and are not too nefarious in their existing practices, with a legally defensible position on each grey area, they should be fine.

Europe, as a continent, may be incredibly concerned about privacy but individuals themselves are still generally quite negligent. The overwhelming mass of data breaches have still not really stopped people from using one password across multiple sites. While the terms and conditions that need ticking to do anything at all really are always likely be too long and boring for the majority to read. The truth is people know they have to swap their data for all kinds of goods and services and most will never be bothered to exercise their new found ‘right to be forgotten’ unless they become stupidly angry with a company.

Overall GDPR forces business to be less slap dash with individuals’ data and also makes them work that little bit harder not to annoy customers. There is no real reason why anyone should come a cropper from this – although the first one to run astray of the rules may be guillotined as an example. Yet companies do need to be aware that this is happening, they do need to realise GDPR impacts any international organisation which deal with European citizens’ details, and above all they must have good visibility on their data.



Also read:
From insular US firms to spammy marketers: Who will GDPR hit the hardest?