GDPR – Sink or Swim
Data-focused regulation by any other name would still be regulation. But will GDPR make a difference?
Can’t live with it, can’t live without it. A familiar refrain that seems to apply to many areas of life – love, vices, household appliances… you name it. But when it comes to the EU’s new General Data Protection Regulation (GDPR), which takes effect on 25 May (yes, this week), ‘can’t live without it’, isn’t an option.
Data, data everywhere
Data, data, everywhere, harness it or sink. OK, so not exactly Coleridge – and would The Rime of the Ancient Data Analyst really have stood the test of time?
But even if you’re not a fan of water-based metaphors – waves, tides, floods, deluges, inundations, tsunamis, drowning – usually employed by the tabloids to create or perpetuate fear rather than allay it, there’s no getting away from the fact that we are literally – quite literally – surrounded by data. Unfathomably large quantities of the stuff. Even Big Data now has more than a whiff of understatement about it.
Power and potential
We increasingly understand the value and power of data. Not just because it means we can get our latest Netflix fix without fear of buffering. But because data is a commodity. Just witness recent global headlines that drew attention to personal data obtained from a giant social media platform that was later used (potentially, allegedly…) to help generate enormous profit and influence without the knowledge ( or full understanding, at least) of the source of that data – millions of ordinary people.
For most of us, data, regulation and compliance aren’t words like ‘cosy’, ‘snug’ or the Danish hygge (for our more cosmopolitan – including Danish – readers) that make us feel all warm and fuzzy inside. But neither do they need to fill us with dread.
GDPR is legislation that has been created to protect the personal data of EU residents. It grants individuals greater control than previous data protection legislation over their personal information, including what and how it is used, transfer of data to third parties, and the ‘right to be forgotten’ (under specific conditions).
This is a good thing for the personal data protection of Europeans.
Global impact, global compliance
Although GDPR is EU legislation, its impact will be felt far beyond Europe. In fact, it will apply to any business that controls or processes the data of EU residents – regardless of the location of the business.
Although viewed by some in the past as the enemy of corporate progress, compliance is rapidly becoming an increasingly strategic, core business function and compliance teams are already implementing GDPR-ready plans and processes.
Why? Apart from the obvious benefits of GDPR to consumers, the cost of non-compliance could result in hefty fines – up to 4% of a company’s annual revenues or €20 million, whichever is greater. Not exactly small change.
Dodging compliance to advance the business strategy, under the impression that ‘it’s easier to ask for forgiveness than permission’, now looks less advisable than ever.
When it comes to PR and marketing, reputation is everything – both to businesses and the agencies that support them in ensuring their reputation inspires confidence and trust.
Given the scope and reach of GDPR, it’s unsurprising that the regulation will play a key role in shaping approaches to PR and marketing.
Under GDPR, ‘data controllers’ are usually the brands or organisations that have a direct relationship with the end-customer. They determine the purpose and means of processing personal data. These controllers bear the primary responsibility for compliance with GDPR.
‘Data processors’ process personal data on behalf of data controllers and may include businesses such as PR agencies and email service providers.
For the first time, data processors will be directly accountable to the Information Commissioner’s Office (ICO) (in the UK) or other regulators for compliance with certain obligations, including having adequate security measures in place and keeping comprehensive records of data processing activities. That’s quite a responsibility.
GDPR at a glance
- Comes into effect on 25 May 2018
- Affects all organisations working within the EU
- Applies to any organisation – regardless of its location – that processes personal data of EU residents or offers them goods and services
- Enforces the right of consumers to have all traces of their personal data removed from the records of companies with which they do business
- Requires ‘data portability’ – companies must give customers a copy of their personal data to take with them upon request
- UK entities wishing to maintain access to the EU market in some capacity post-Brexit will need to comply with GDPR if they intend to continue offering services to EU data subjects
Ride the wave
The chances are, your organisation’s preparations for GDPR have been well underway for some time. You will have been thinking about how you obtained data from individuals in the past, how you manage and use it now, and if any of that needs to change under GDPR.
It will also have an impact on how you communicate with your clients, prospects and other stakeholders. And failure to take this into account will affect your reputation – and, ultimately, your bottom line.
Your customers and prospects will expect you to be GDPR-compliant. So now’s the time to get on board, ride the wave, sink (no!) or swim. Well, you get it. And that’s why we’re here to help.
The views expressed in this article are those of the author. For official information on GDPR and to find out if your business is GDPR-ready, please visit the website of the UK Information Commissioner’s Office (ICO).