With the clock running down on GDPR D-Day - after over six years in the making - we are fast approaching the business end of proceedings. Despite a new sense of optimism that the regulation may not be as much of a burden as first feared, the past week has seen plenty more dire warnings to both businesses and EU member states to get in shape.
According to the European Commission, only Germany and Austria have already implemented the new regulation into their national laws, leaving the other 26 with much work to do. The UK is at least halfway there, having introduced the UK Data Protection Bill, which it hopes to have passed by May this year so that Britain can adopt GDPR post-Brexit.
However, it seems the Government is still concerned that British companies have yet to fully wake up to the impending deadline and are sleepwalking into trouble. Even Bob Geldof has waded in.
So, with the 100-day milestone looming large, just what are UK firms doing to get in shape?
One answer is the emerging trend of companies trying to work together for a co-ordinated approach to GDPR. One of the first to spot the potential value of this move was DBS Data, which launched an initiative called the Compliance ThinkTank last year.
DBS Data managing director and CEO, Adam Williams, explains the rationale behind the group: "Late in 2016, I was having conversations with data protection officers and others with compliance in their remit and many were feeling isolated and struggling with the interpretation of GDPR. I struck me that a regular discussion group would significantly help and align interpretation and the Compliance Think-tank was born. Each month, ten to 20 of us meet in central London to discuss updates, pool knowledge and improve our collective understanding, free from any defined commercial agenda. It remains an open group and we very much welcome new members."
The companies involved share information, but do not have a set agenda to identify areas of concerns and agree a unilateral approach. Generally, people leave a Compliance ThinkTank meeting with a much clearer understanding of how they should act in the best interest of their respective organisations, Williams claims.
“A collective approach is in all of our interests.”
It is a strategy which Blueberry Wave director, Nick Dixon, supports. He says: "I think that a collective approach is in all of our interests as data-powered companies of whatever shape or size. After all, if we speak with a common purpose and understanding, then we do not send out conflicting messages to our clients and prospects. A lot of us are investing a great deal of time and money in ensuring that we deliver the best compliance and guidance to our clients. Much better to speak with non-conflicting interpretations."
Willmington Millennium product director, Karen Pritchard, has also witnessed similar initiatives and believes that the old adage of safety in numbers certainly applies. "We are increasingly hearing from our clients that they are forming alliances within their industries to work through GDPR's compliance requirements. Not only does a collective approach mean that organisations within sectors can work through the issues that affect them most together, but it also demonstrates a collaborative effort to improve marketing practice, which is ultimately the foundation of GDPR."
Others point to the formation of unofficial support networks that are making it easier for companies to move closer to compliance, simply because the marketers in the network can all pool their resources to solve the problems at hand.
Many have criticised the ICO for its lack of guidance, so does a collective approach fill the gaps?
W8 Data managing director Will Anthes is not so sure. He explains: “Firstly, the ICO should not be criticised for its lack of guidance. It is doing the best it can under difficult circumstances and, ultimately, it is not the ICO's responsibility to get each and every business complaint - it's down to the organisation itself."
Anthes also doubts that working in concert is the silver bullet, insisting that while sharing knowledge is admirable and, indeed, beneficial, when it actually comes to the brass tacks of becoming compliant, an organisation must go it alone. "The reason is because every business is different. It will collect different data, have different storage facilities, have different rules governing the data, have different hygiene regimes - the differences are endless. Consequently, one business' GDPR issues will be very different to another's and working together could actually inadvertently result in confusion and non-compliance."
But with no end in sight to what the ICO has branded "scaremongering", what are the big issues marketers are still facing and what are they most fearful of?
"The big issue on everyone's mind is opt-in.”
According to the latest results of a tracking study by the DMA, published late last year, key concerns for organisations are consent (28%) and legacy data (18%), while priorities remain updating privacy policies (15%), integrating compliance systems (12%), auditing current state (12%) and data management breach processes (11%).
But for Rubicon Insight managing director, Stuart Broughton, one major fear tops the lot: "The big issue on everyone's mind is opt-in. We've long been extolling the virtues of customer preference centres (CPC) as a cost-effective, compliant solution to permission and now, as we get closer to the deadline, we are seeing significant spikes in interest in CPCs as a way responsibly and legally to hold customer data."
Meanwhile, Williams insists that sometimes it is less scaremongering and more scaring ourselves about what is required, citing a lack of information and misinterpreting the rules.
He adds: "For marketers, the biggest fear is the loss of audience that has been hard-fought to build, along with reputational damage, both personally and to the brand. Marketing is all about creating opportunity and delivering positive results for the business. You don’t want to be responsible for dragging it through the press.”
“The risk doesn’t just sit with marketing, but with the CFO and the board.”
Others point out that it will be difficult for some businesses to meet the compliance deadline as they may not have embarked upon creating a GDPR-compliant single customer view, and Dixon is a firm believer that marketers are not solely responsible. He explains: "I think the risk doesn’t just sit with marketing, but ultimately with the chief financial officer and the board of the company in relation to possible penalties and also brand damage. The main fear is that remaining uncertainties about rules are going to be clarified in court by case law. This feels unfair and no one wants to be first in court, do they?"
According to a recent study by W8 Data, only a quarter of customer data held by businesses is currently compliant with the right permissions in place to allow marketers to continue to market to its customers and prospects. This means that three quarters of the data could, by 25th May, be obsolete. It has seen a rise in repermissioning campaigns as marketers attempt to get opt-ins in place. Additionally, the more traditional areas of data protection, like data cleansing, are becoming more popular as clients seek to find effective and cost efficient ways of looking after their data and demonstrating their responsibilities towards it.
When it comes to scaremongering, Pritchard points the finger squarely at supplier organisations "that should know better", adding that "many have been guilty of attempting to leverage GDPR as a way to boost revenue". However, she adds: "There are legitimate concerns and these tend to be around permissions. The majority of organisations do not currently hold opt-in, granular permissions from their customers, nor do they have a solution in place to collect them once GDPR comes into force. “
Williams claims many organisations and consultants offering GDPR advice are simply not qualified to do so. He says that marketers need to carry out due diligence and seek out those who have proven expertise, for instance, those who have passed the DMA’s extended compliance audit process for data businesses and the Principles of Data Protection (Data Control) Level 2 course.
“Not many experts can tell you how GDPR should be done in a practical manner.”
Plenty of so-called "experts" offer advice but not many can not guide and assist clients through the maze to achieve practical implementation, Dixon asserts. He comments: "Many can tell you what needs to be done but not many can tell you how it should be done in a practical manner. This is why the gold standard companies of the industry should work together to speak with a common voice for what will be a common reset in marketing communications."
For Broughton, it is all about attitude. There are a multitude of GDPR experts peddling their wares on the market, so to select the right one it is important to look for the two key attributes of experience and innovation, he says.
"Look for evidence that people have been in the data industry for years, that they have a forensic knowledge of data protection and data-based marketing. Firms must also identify organisations that are keeping ahead of the curve when it comes to new technologies and integration. When taken together, experience and innovation will cover all bases.”
Still, it would appear that is not all doom and gloom, with recent research claiming marketers are feeling more positive towards GDPR.Rubicon Insight's Broughton has certainly seen a change. "As 25th May gets closer, positivity towards it also increases. We believe this is because there has firstly been a seismic shift in what is being reported in the media. Initially, it was all disastrous and the research being commissioned tended to result in negative stories, while today the reports are more positive. For instance, this morning I read an article about the opportunities that GDPR will bring to the utility sector. Six months ago, that same piece would have focused on the threats. Secondly, we think that as, GDPR gets closer, organisations are getting more involved in compliance in order to make it a reality and they are discovering that it isn't as onerous or draconian as they might have first thought.”
“Positivity is borne out of how informed and where you are en route to compliance.”
Williams agrees: "In our experience positivity is borne out of how informed and where you are en route to compliance. The longer you have been on the path to GDPR compliance - for DBS Data, the journey began over three years ago and we have been fully-compliant for more than 12 months - the more confident you feel. We have had a long time to consider the implications, evaluate the opportunities and make the required adjustments to our business model. So, I think that, as the deadline approaches, interpretation improves and preparation is completed or well underway, confidence and positivity returns."
Both Dixon and Pritchard reckon it depends on which sector you are talking to. Pritchard says that financial services are positive while charities remain negative, adding that highly-regulated sectors, like banks, which already adhere to Know Your Customer and Anti-Money Laundering rules, are finding it easier to work through compliance, because much of it is already incorporated in some way in the existing legislation.
On the other hand, charities are struggling due to the ambiguity that still exists in terms of what is actually required and their past history of being fined for “unfair” practice. Dixon concurs that each sector will have a different view.
However, he sums up the general mood by concluding: "What we do know is that, surely, it is better to treat your customers with trust and transparency and, ultimately, turn big data into smart data, leading to more relevant marketing communications.”