2018 is going to see big changes to how Europe (and the world as a whole) will have to deal with peoples Personal Information with the replacement of multiple Data Protection Acts with a single encompassing General Data Protection Regulation that comes into effect on 25th May 2018.
Although GDPR has been in discussions for the last two years, with a grace period to get everything in place, there has not been much of a push from the main Supervisory Authorities to make it as widely known as it should be and quite a few of the guidelines are open to interpretation and conjecture by companies. Some industry bodies are still not ready and are planning on having industry specific guidelines written and in place by the end of 2018, seven months after the introduction of GDPR.
This approach by Supervisory Authorities and industry bodies is causing three main reactions that companies are taking to GDPR.
Fear: Some companies are looking at the size of the GDPR and interpretation, conjecture within and lack of guidance from Supervisory Authorities and bodies and thus focusing on all the negative aspects of the regulation such as the rewriting of procedures and policies, the updating of all databases to get consent, and most importantly the size of the fines that can be levied. There are also, unfounded, rumors that the Supervisory Authorities will make examples of companies early on when breaches are discovered and levy the maximum fines possible, while the reality is there will more than likely be leniency from the Supervisory Authorities at the beginning with more of a working together approach, unless repeated warnings or severe breaches that have not been reported properly.
Follow: While some companies are panicking over GDPR, other companies are looking at it as no real change and assume that they can follow on doing exactly as they have in the past with the hope that if they do not attract any attention from the Supervisory Authorities then they will have nothing to worry about. The mentality here is if you do not upset any individuals then they will have no reason to approach the Supervisory Authority and report a potential breach, they are also hoping that the general population is not fully aware of the changes or who to report anything to if they think it is warranted. In the UK this theory that the general population is not fully aware of GDPR and how it affects them is more than likely true, however the same, almost certainly, cannot be said about other countries in Europe.
Flourish: The final group are the proactive companies that look upon GDPR as an opportunity to improve their systems by having updated internal policies, practices and structures in place to deal fully with all compliance needed. These companies stand in the best shape as under GDPA, Data Controllers as well as Data Processors take joint responsibility with regards to the processing of Personal Information so this will give added peace of mind to both clients and Data Subjects alike. Not only does this proactive response provide peace of mind but it also means that these companies are reaching out to their contacts, subscribers etc to get renewed consent and as a result will have a cleaner, updated list of contacts to target with improved efficiency.
Either of those three reactions, are perfectly normal given the circumstances. If you’re in fear, or even the follow camps, a huge factor in relieving the GDPR headache is through ensuring your data and insight partners fit firmly in the flourish camp. At Kadence we were the first agency in the UK to gain the ISO9001 accreditation back in the 1990s, so robust data processes and transparent data collection has always been at the core of what we do. For our clients there is very little you’ll need to worry about when it comes to GDPR and the delivery of data, we’ll do all the heavy lifting so you don’t have to. If you’re interested in understanding the specifics of GDPR and how our processes fit in with it, you can read more here.