Since the introduction of the General Data Protection Regulation (GDPR) on 25th May 2018, we’ve seen it progress from filling our inboxes with a flurry of opt-in emails to a fairly quick return to business-as-usual treatment by businesses.
Although initial fears that the regulation would lead to a general meltdown of customer relations have been largely unfounded, there have been a number of high-profile incidents that have created the stirrings of concern amongst the general public as to how personal data is stored and shared. Shortly before the GDPR came into force, it was revealed that Facebook had allowed Cambridge Analytica to access vast amounts of user data which was used for targeting in the 2016 US Presidential campaign. Since then, many Facebook users have called for tighter controls over their data.
What has this meant for the organisations we work with? In the past year, we’ve seen a growing demand for our Virtual Data Protection Officer service and it has become clear that many organisations are still unsure what they need to do to fully comply with the GDPR.
Below are the three key things we’ve learned about the GDPR since last May.
Due to the apparent complexity of the GDPR, organisations of all sizes feared that they would soon run foul of the law. In the past year, UK businesses have racked up fines totalling over £1.2million, primarily for self-reported data breaches. Across Europe, a reported 91 penalty fines were issued for a total € 56 million, but the majority of that amount was to Google, which was fined € 50 million by the French government for not properly disclosing to users how data is collected across its services to present personalised adverts.
According to several reports, the number of penalties is set to rise in 2019, as each country’s regulators extend their capacity and powers to enforce the rules, particularly for major offenders that may believe they are above the law, but this could also affect smaller businesses that haven’t fully implemented the full range of compliance measures. Many agree that regulation still has some way to go, especially in terms of clarifying what, and how data can be used.
While much attention was paid to how the GDPR would apply to outbound communications with potential and existing customers, less attention was paid to how data would be protected within a business, and this has been one of the most common problems. Many of the reported GDPR violations were related to improper handling of customer data.
We outlined in a previous blog the steps that organisations need to take to comply with the regulations. A key step is to make it clear to customers what personal data would be processed and the purpose of collecting this data. There are many common instances where organisations are not doing this properly – for example, many website cookie consent buttons do not explicitly tell website visitors how they will be tracked and how that information will be stored. However, it is unclear how this could be resolved: most people will not read a full list of terms and conditions simply to access a website, and organisations need to collect data in order to improve services.
While the GDPR has meant that most organisations have had to take a long look at how they handle customer data and apply new policies, for many this provided a good opportunity to re-evaluate how they communicate with customers. Some of our clients took an unequivocal approach, ensuring that they only communicate with customers and prospects that have opted-in for marketing communications. This has given them the means to deliver more targeted, relevant information to a more engaged and responsive customer base.
Organisations have also taken the opportunity to review and update how they comply with industry regulations across the board. In this way, they have achieved higher levels of compliance and as a result, many have qualified for ISO certifications and other industry-specific regulations. At a recent Executive Lunch roundtable, our keynote speaker Patrick Wheeler pointed out that by improving data handling processes, organisations not only reduce the risks of a data breach: it also leads to more efficient working processes and delivers a better service to your customers.
Despite the ongoing confusion and perceived lack of clarity around the GDPR, we have found that the regulation has had some positive benefits for organisations, and for many, this had led to a more positive relationship with customers. If you would like to learn how Conosco can help your organisation with Compliance and Certification, contact us now.