May 25th 2018. GDPR-Day. That was going to be the new Millenium Bug: email marketing was going to stop working, every business in the country was going to be fined 4% of its global turnover because it didn’t have passwords on all of its spreadsheets, and your directors were all going to prison. And there was the Brexity-shaped elephant in the corner.
Of course, the world hasn’t ended. There hasn’t been a flurry of regulatory activity, and it’s been business as usual for marketing campaigns.
But that doesn’t mean that the GDPR has gone away. It’s been incorporated into UK law wholesale by way of the Data Protection Act 2018, so the obligations are all the same.
Businesses still need to ensure that they present sufficient information to customers about how their personal information is handled. There’s no defined way to do this, but it’s generally been interpreted as requiring a clear privacy notice/policy being presented at the point where a person’s name and contact details are taken. As a consumer, this is where I see many many organisations falling short.
I was fuelling my cycling equipment habit in Halfords last week and quite liked their free leaflet on the counter at the checkout: “Maintaining Your Data Privacy”. That’s a good way to do it. I’ve also seen business cards with links to online privacy policies, and even supposedly child-friendly comic book versions of what companies do with data. I hope they had plenty of Haribo in that focus group.
In the UK, it’s the Information Commissioner’s Office that deals with infringements of the data protection laws. Aside from the Cambridge Analytica case, we’ve not heard much from them. That’s because they have to carry out detailed investigations of allegations of breaches, and go through a thorough process before levying fines and penalties. These things take time, and it’s only been 6 months. Harsh decisions haven’t come yet, but they will.
So what can business be doing? Check that your ongoing marketing list opt-in/opt-out/consent process is still working - does that suppression list do what we think it does? Make sure you’re periodically reviewing and deleting personal information you don’t need to be keeping. That tidy-up in April was a good idea, but maybe it’s time for another one. Have you appointed a data protection officer if you need one?
It’s never too late to review the compliance position. The noise may have gone away, but the law hasn’t.