A shock is coming to UK businesses who haven’t yet put a data protection programme in place. The General Data Protection Regulation comes into play in May 2018, by which time businesses need to show they’re already compliant with it.
Industry leaders say it can take up to three months to plan a data protection programme and another three months to implement it, depending on a business’s current systems of data capture, storage and processing.
Despite there being only seven months to go until the GDPR kicks in, businesses are showing that they aren’t yet ready for it. A study from TrustArc indicated that in August 2017 two thirds of UK respondents hadn’t begun their GDPR compliance programme, and more than 92 percent of respondents said they still needed to invest in it. Another study, by Alert logic, showed that only five percent of businesses across Europe were prepared for the GDPR and only 27 percent were confident they’d be ready by May 2018.
Unless businesses get started soon, this lack of readiness will mean urgently seeking the help of external consultants or solution providers to help speed up the process, and even then, there may not be enough time. High risk businesses that process a lot of personal data belonging to residents of the EU are especially at risk of the hefty fines they could face for breaches – up to €20 million or 4 percent of global turnover, whichever is greater.
Digital and email marketing companies working with large volumes of personal data to create personalised marketing messages are an example of high-risk businesses. It’s vital for them to implement a data protection plan that’s compliant with the GDPR. At this late stage, they may be best advised to enlist the service of a dedicated GDPR compliance provider or urgently bring a data protection officer onboard to assess their systems and recommend courses of action to bring them into compliance.
EU data subjects have stronger rights under the new regulation and one of the things they’re entitled to do is ask businesses to divulge the information they have on them, and even have it erased. They also need to be informed of any data breaches that pose a high risk to them. Many marketing companies aren’t ready to do this.
According to the Direct Marketing Association, only half of marketers say they’re on the right track. Is your business on the right track?