We have all been subjected to a multitude of emails asking for our consent to remain on a company’s email marketing lists. What it reveals is the number of unexpected places that our personal data sits – did you really sign up to a particular retailer, or even know that that recruitment company had your CV?!! The Facebook / Cambridge Analytica fiasco started to bring this to the fore, but this rush to gain consent from all sorts of companies has further highlighted how far and wide our personal data is spread.
I don’t want to criticise companies for gaining consent from customers to continue sending marketing messages, it is a laudable attempt at remaining compliant, but it perhaps also reveals that some organisations do not understand the legal basis they should be using for processing people’s data. This then begs the question as to whether these organisations properly understand the regulation and therefore whether they will be compliant for everything they do.
Sometimes the content of these messages is misleading. Some companies boldly state that they are GDPR compliant. To my mind this is misleading because compliance is a moveable feast; you may be compliant today, but tomorrow one of your employees might do something that is not compliant. I think it will take some time before people’s behaviour changes sufficiently to ensure continual compliance. Perhaps an example from another regulation may bring this more to life. How many building sites have you walked past that have all the appropriate HSE signs up stating that personal protective equipment must be worn when on site. And yet when you look in you will see builders not wearing hard hats, or steel boots. So the actions of the builders are undermining the policies and procedures of the company.
The unintended consequences of these emails is threefold.
- First the sending of the email might be illegal in itself. If the organisation didn’t have the correct permission in the first place under the Data Protection Act 1998 and / or the Privacy and Electronic Communications Act (PECR), then there is a risk that they might be reported to the ICO and fined, as FlyBe and Honda found out last year.
- Second there is a significant commercial risk in that the company may be destroying its customer database either because people have re-appraised what marketing emails they want to receive, or because people are sick of receiving these emails and so are ‘unsubscribing’ to every one of them.
- Thirdly it may be causing a significant operational problem because of the sheer volume of Subject Access Requests and Right to Erasure requests companies are now having to deal with, aside from the people that are opting-out.
However the positive side of companies sending these emails is that they will now know who is really interested in their products and services, therefore the data they hold will be of a higher quality, albeit there’s much less of it!.
As we have repeatedly told people, 25th May 2018 is a start date, not an end date. Some companies might be heaving a huge sigh of relief that they have got themselves into what they consider to be a compliant state. This could leave the senior management team to think that they can now put this to one side and ‘get on with normal business’. In our opinion this would be a huge mistake. In the course of helping companies to get to grips with the GDPR, every one has had a moment of realisation that compliance means looking at every process they undertake and that this is in fact a behaviour change project, not just a compliance one. Behaviour change takes time and effort, which must be led by the senior managers. No doubt there will be a period of calm now until the first cases come before a judge where a company has infringed the law, and this will trigger a new flurry of activity. As we have stated change takes time and so companies need to stay alert, otherwise they might find themselves as the test case.
Many organisations have had to appoint a Data Protection Officer (DPO) and that is right and proper. However there are a huge number small to medium sized companies that either cannot afford to appoint a full time DPO, or who don’t need to appoint one because the levels of processing activities don’t justify the appointment. However all companies are processing people’s data and so will need some form of help in order to remain compliant. The options are either to give someone the additional responsibility, although the law is very clear that there must not be a conflict of interest with their other / main job, or use an outsourced provider. The advantage of the latter is that he / she will be a subject matter expert, as opposed to the internal appointee, and will keep abreast of the latest news and best practices. They will be able to give impartial advice, since they won’t be subject to the usual office politics. Also they will be considerably cheaper than a full time resource.
Although The Data Guardians prefer to stress the positives of the GDPR, the risks of getting it wrong are considerable – fines, sanctions and reputational damage. Companies heed other laws with strict adherence, e.g. accounting regulations, where the downsides are much less than non-compliance with the GDPR, and so they now need to ensure that they comply with these new laws.
The new data protection laws are a positive step to redress the balance in what was a largely unregulated section of business practice, where unfortunately there has been abuse of people’s personal data, usually without their knowledge. The advantages of having engaged customers who want to hear about your products and services are huge, both in terms of cost savings as well as revenue generating possibilities. But to take advantage of these advantages requires the organisation to pay constant attention to data protection laws.