For some of us it felt like the 25th May deadline was looming for a long time and in fact GDPR has been in development since 2011. For others, the deadline came around far too quickly and there’s been a last minute flurry of activity.
The date has now passed. The world is still turning and no organisations have been put out of business by gargantuan fines… yet. For consumers there may be a sense of relief that the dozens of emails from marketers seeking consent have come to an end.
But now that GDPR is live, what should we expect? Based on conversations with industry insiders, there are five key pieces of advice for businesses.
1. Remember, it’s a marathon, not a sprint
Following a last minute rush by some organisations to get “GDPR-ready”, a lot of people are breathing a sigh of relief that this milestone has now passed. However, this is the wrong way to look at it. The deadline was just the beginning of a journey and it marks a new period where organisations will constantly be questioned on their compliance and challenged to show that the requirements of GDPR have been sustainably embedded into their everyday working practices, and perhaps more importantly, into their culture and values.
2. Be ready for consumer activism
We are likely to see consumers “poking the bear” in the next couple of weeks. In particular, we should expect data privacy activists to deliberately test organisations’ compliance. This is likely to take the form of “subject access requests” where private individuals request to see what personal data a company is holding on them.
In fact there is potential for data privacy activists to submit multiple requests so that organisations are so overwhelmed that it slows down their normal day-to-day business.
Even beyond activists and campaigners who are deliberately targeting or testing prominent organisations, we will see much more knowledgeable everyday consumers who are better educated and equipped to ask questions. This will become even truer over time as the Information Commissioner’s Office (ICO) runs its public education campaign, “Your data matters”, to help educate consumers on their rights in the GDPR environment.
3. Expect a pragmatic approach from the regulator
Arguably the true test for GDPR will be how it’s enforced. This responsibility is held nationally by the designated “Data Protection Authority” in each member state. Here in the UK, that’s the ICO and questions have been asked about whether it has the organisational and financial resources to pursue big, powerful companies.
The ICO has recruited heavily and is rumoured to have doubled in size. However, with the high number of notifications being made in the GDPR environment (because companies can be fined for not notifying) they will have to prioritise which leads they follow and, in term of potential fines, which companies they prioritise. Industry insiders have speculated that the ICO is more likely to pursue “big scalps” in the first wave of fines.
In terms of lower-profile organisations, it’s widely believed that the ICO is looking for companies to demonstrate that they’re on the “road to compliance” and are taking steps in the right direction, rather than being able to prove that they’re already fully compliant. With this approach it could be the case that 2019 will see the more serious fines and actions.
4. Seize the opportunity to make the case for data
It’s likely that widespread media coverage and customer comms around the implementation of GDPR has led to consumers re-evaluating the value of their data. In fact after a series of high-profile data breaches, there is a risk that “data” is now being seen as a dirty word as it’s widely associated with hacks, breaches and being sold on for profit.
This means there’s an urgent need to make the positive case for data and to articulate the value that it brings to consumers and organisations a like. This would involve demonstrating that collecting and sharing personal data doesn’t just pose risks to consumers but also has significant benefits. Arguably there’s a compelling message here to explain that data has allowed technological developments that benefit us all – from a move to personalised medicine to making your online shopping experience quicker and more convenient. We can expect some of the more bold and sophisticated businesses to step up and tell this story.
5. Look out for what’s around the corner
Just when you thought you could relax now the GDPR deadline has passed, there is another piece of regulation you need to be aware of. The EU is currently debating how to replace the existing Privacy and Electronic Communication Regulations (PECR) with a new regulation which governs electronic communications. There is some concern among experts that this will be even more stringent than GDPR. We should know in the next 12 months or so how PECR is likely to play out. But if GDPR has taught us anything, it’s that businesses need to be getting ahead of the regulations by proactively tightening up their processes and procedures.
As daunting as this may sound, businesses should remember they’re not in this alone. There are partners and advisors who are ready to help them meet these challenges and capitalise on the opportunities.
If you’d like to speak to a member of our team to discuss further contact our Crisis & Issues team.
Jennifer Giff, Crisis communications