GDPR Readiness: Ostrich or Scout?
In 1907 the motto of the British Scouts was devised, Be Prepared. It was first published in 1908. The Boy Scouts of America adopted it in 1910. A Scout must BE PREPARED. When Robert Baden-Powell, the originator of the motto was asked, prepared for what, he replied, “Why, for any old thing.”
That thing, today, is the GDPR.
Ostriches, on the other hand, bury their heads in the dirt, or so goes the metaphor. When people claim someone (or some business entity) has their head buried in the sand, they are saying that the person is ignoring obvious facts or refusing to accept advice, hoping that simply denying the existence of a problem will make it go away.
The GDPR is not going away.
If anything, it’s getting closer by the day.
As we work with clients and associates, members of PDEC and others (disclaimer: in addition to my duties as Executive Director of PDEC I also provide consulting services to clients and work with other industry initiatives, non-profits and trade groups) we find there are two very separate camps when it comes to GDPR readiness: Scouts and Ostriches.
And who, or what size business, some of them in either camp are, might surprise you.
In discussions with CMOs and CIOs there is a sense of readiness, planning, concern, a full-on attack. These more often than not take place in larger companies, but not only – and not all larger companies.
Many ostrich-like entities are smaller businesses running from the regulations, rationalizing it with the thinking that the smaller they are, the less likely they are to be made an example of, or to be chased by the powers that be. One CEO said, “A year into it the consultants will charge less, we’ll figure it out after the kinks are worked out.” Another small business owner felt they were too small, had too few clients to be on the regulator’s radar.
Common, though, among the ones large and small acting like ostriches -or just all but catatonic with fear- was a lack of understanding of GDPR terms, roles, priorities, and (get this!) where to start. Data Protection and Information Management firm Commvault, a publicly traded company, ran a global survey on GDPR preparation. The survey was of 177 global IT personnel, conducted in October of 2017.
It found that only 11% of organisations around the world understood what constitutes personal data within their organization. Key points from the Commvault study:
- 21 percent feel they have a good understanding of what GDPR means in practice
- 18 percent said they understood what data their company has and where it lives
- 17 percent understood the potential impact of GDPR on the overall business
- 12 percent understood how GDPR would affect cloud services
Some other findings of note: The lack of understanding of the most basic GDPR terms: “Personal Data” “The Right to Be Forgotten” and even how to find or delete data on request. Only 9% felt they could effectively anonymise data when required to do so. A mere 8% believed they would be able to collate and move data to another organization at an individual’s request. This, of course, totally non-compliant with the GDPR. Think, then, how many companies are unaware of those as issues, much less facilities they must have in place as of the 25th of May.
Beyond these issues are more finely honed differences between the old rules and the new ones, such as The EU’s PSD2 and Canada’s PIPEDA. This is the move from implicit to explicit consent, aka purpose-bound consent. Prior to the GDPR it was common practice for companies to rely on implicit and opt-out consent in gathering personal data from individuals (users, customers, participants). It was a simple checkbox and all was well. Implicit.
This changes on the 25th of May.
Implicit consent is gone, disallowed by the GDPR. The new regulations require individual’s (user, customer, etc.) consent via the signal agreement by “a statement or a clear affirmative action.”
This is no small change. It requires redesign, change of language, and a major course of action.
If a company – be it large or small, for profit or non-profit, private or not – has a database of personal data acquired via implicit consent, it cannot be grandfathered in to be in compliance under GDPR. The company must request consent once again, reach out to its customers in a manner in compliance with the GDPR.
Helpful reading: The definition of what consent is under the GDPR (as can be found in the GDPR definitions in GDPR Article 4).
- Consent is an unambiguous indication of a data subject’s wishes that signifies an agreement by him/her to the processing of personal data relating to him/her (note: in any given personal data processing activity) whereby that consent needs to be given in clearly defined ways which are those elements of the definition of consent that are further explored.
GDPR Article 7 describes the specific conditions regarding consent (to be valid). To wit:
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be informed.
- Consent needs to be an unambiguous indication.
- Consent is an act: it needs to be given by a statement or by a clear act.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible and easily accessible
A Marketing Conundrum? These consent specifics offer a segue to an interesting marketing question. Is it harder for marketers to do their job when outreach is so narrow, defined, restricted, perhaps best described under GDPR as put in the hands of the individuals (customers, users, target buying audience, etc.)?
Or is it a perfect storm of opportunity for marketers? They can send their messages to a defined, sincere, pre-targeted and pre-qualified group. The recipients of their message(s) represent less waste, fewer marketing dollars spent on unnecessary impressions, less “garbage effort” all around.
Is this efficiency, or is this too limited a reach group?
It is important here not to confuse marketing with advertising or sales. Marketers shape the message; Marketing refers to preparing a product or service for the marketplace. The marketer must understand who are the potential customers and what they want to get from the product or service. It is marketing that defines a brand and attracts the market share you want.
So are marketers more well-armed? Does a user-offered, self-defined target group offer insights and understanding to help the team to understand the target market?
Advertisers create ads to highlight and promote that which the marketers have developed. Advertisers have a clear picture of what and where their target buyer population can be found.
Sales goes about selling the product or service to either the end users/customers, or to the sales channels that will distribute or directly sell to the end users.
Under the GDPR, do marketers have a better opportunity? Are salespeople in a better position to laser focus their efforts on a proven, interested community?
In our calls (Zoom, WhatsApp, a few on Skype) emails, and discussions with PDEC members, consulting clients and others, there has been a wide gamut of thoughts and opinions on this topic.
What do you think? Let us know.
We’ve had wonderful response to this series, very gratifying, Your emails and calls have given root to ideas for other articles as well as people to reach out to for guest pieces.
Should we do a mailbag piece next week? You tell me!