What was that all about? 5 Observations after the advent of the GDPR

I've been helping SMEs to adjust to the new "GDPR Way" of doing things for many months now, and I'd like to share some brief observations from my travails.

  1. These companies, from sectors like Property, Accountancy, Charities, Publishing and Hospitality, have one thing in common: they are unlikely to attract massive fines from the ICO. The scaremongering has been ridiculous, inaccurate and unhelpful. Most clients - when I first meet them - have been whipped up into a panic and it can take a while for the facts to overcome the fear.
  2. So if avoiding fines isn't the reason to do something about the GDPR, even now, what is? In my experience, what really compels SMEs to do something about the GDPR is having the ability to do business with others. Many clients have received requests from larger organisations asking serious questions about how they treat personal data. If you've not asked yourself those questions, you stand no chance of being able to answer, and will be less competitive as a consequence.
  3. Asking those questions of your own organisation is the key to being able to adjust to the GDPR standard. The overarching principle is accountability so if you don't know what data you have, where you got it from, how you protect it, where you send it to and so-forth, how can you possibly demonstrate accountability? Being compliant isn't about having a shiny certificate or a brilliant privacy statement - it's something you do every day. It's being genuinely committed to protecting Data Subjects' rights.
  4. Some companies have still not "got it" - even very big ones that can afford expensive lawyers and PR teams. The concepts of 'legal basis' and 'legitimate interest' have been misunderstood widely, especially where the legal basis of consent for marketing communications is concerned. This is, admittedly, a complex area - but why did I receive five separate re-consent emails from one major Department Store when I am quite clearly someone that has qualified for the 'soft opt-in' under PECR Article 22? If people are still getting it wrong, perhaps it's another reason not to panic, while clarity emerges over the next few months.
  5. People really care about what happens to their data. I've quipped in various seminars that data is a really boring subject that gets very interesting when you delve into it a bit, but then very boring again when you look even closer and have to go through someone's hard drives looking for rogue spreadsheets. Nevertheless, when I've done training sessions, what really engages people is approaching the topic from their perspective. The impact of a 'listening' device in the home like Alexa is quite massive, for example, and when people really grasp the enormity of the potential consequences of giving up their personal data, they understand just why we need the GDPR.

I hope you've enjoyed these brief thoughts, you have my consent to comment and/or email me yours.