Are you ready?

Have you heard of GDPR? Thought not. Marketing expert Paul Clapham takes a look at this piece of legislation that affects every business but appears to have been introduced under the radar.

The General Data Protection Regulations (GDPR) sticks out like a sore thumb as the title of a piece of government legislation, in this case a piece of EU legislation. Any Brexiteers throwing their hands in the air should recognise that we will be subject to such laws for at least two years.

GDPR has been in the creation process while our eyes have been taken off the ball by Brexit. But it is now about to land in every business owner’s lap because it will be implemented on May 25, 2018 – just round the corner.

It is also getting increasing amounts of publicity across print media. Yet a lot of the business owners and managers who will have to work with GDPR appear to know next to nothing about it.

That isn’t totally surprising. Most small businesses – garment decorators as a classic case – would look at the issue and think, ‘I’ve got a database that varies between 300 and 350 at any given time; this can’t refer to me’. Unfortunately it does. It’s like any law – it applies to everyone equally.

What is more the whole issue has really only just crawled out of the woodwork, so nobody can yet be confident of how it will be implemented. The principle of  the GDPR is to even up the playing field between the private individual and big businesses. The small business appears to have been left out of the equation.

There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines.

Plenty of attention has been paid to the new punitive levels of fines that will apply if you don’t stick to the rules.

Stick to the rules

Facebook, which took a kicking in the courts in Belgium recently on this issue, has been exampled as potentially being liable to a fine of up to £1.6 billion – it’s based on a percentage of worldwide turnover. No doubt it has the technological and legal expertise to avoid anything like as nasty. Obviously that doesn’t apply to the typical garment decorator.

Fear not. Governments throughout Europe might love the idea of using GDPR as a means of gouging money out of Google, Facebook and Amazon, having failed to do so via the tax system, but the smaller business appears to be off the regulators’ radar for the time being.

That is no excuse for ignoring GDPR, but the good news is that you are probably compliant already. You don’t run your business like the three above-named behemoths. You actually do give a monkeys – about your customers and your own reputation.

You could go on a course and, sure enough, providers are popping up like weeds. Which invariably happens when a new and potentially scary issue like GDPR raises its ugly head.

I am told that these people are knowledgable rather than expert. You may think ‘ok that’s good enough to get me up to speed’. It probably isn’t because these courses tend to be heavily focused on business to consumer marketing issues, rather than business to business issues. If you think a one day course is a good idea make sure you will be getting what you need before you part with hard cash.

Ignore scaremongering

Elizabeth Denham, the UK information commissioner and hence head honcho of implementing GDPR here, not least enforcement of same, says that she is frustrated by the amount of scaremongering around the potential impact for businesses. “The GDPR is a step change for data protection” she says, ”it’s still an evolution, not a revolution.”

Sorry, Elizabeth, your frustration is your own fault. OK, none of us has been paying attention and for sure the whole subject is, to put it mildly, uninspiring, but you have had coming up two years to get us all onto the same page and it just hasn’t happened.

Little wonder, then, that now the manure is about to come in contact with the air conditioning unit, journalists have hit the scaremonger key. (Incidentally it is standard for new EU legislation to have a two year preparation period between being passed and implemented to enable businesses and public bodies affected by changes to prepare for them; who knew?).

The GDPR changes how personal data can be used. Its provisions in the UK will be covered by a new Data Protection Bill, recently published by the government. It’s the word ‘recently’ in that sentence which defines the sense of sudden urgency that applies to this issue.

GDPR covers both personal data and sensitive personal data. Personal data broadly means any piece of information that can be used to identify a person – name, address, phone number internet address etc. Sensitive personal data includes genetic data, information about sexual orientation, religion, membership of political parties and much besides.

Those fines which have attracted much attention can be triggered in various ways: if an organisation doesn’t process an individual’s data properly, if it requires a data protection officer but doesn’t have one, if there’s a security breach.

Elizabeth Denham’s office will decide the level of fines but she says speculation that her office will aim to make examples of companies by issuing the sort of fines which would cripple a business is far wide of the mark. Her office will have the option of big fines (and businesses will know it) but she says: “We always prefer the carrot to the stick”. The ICO prefers to work with organisations to improve their practices and a stern letter will usually achieve the desired result.

The view being held is clearly that, if a company is trying to get GDPR right, the ICO is not going to jump on them with steel clad boots for a minor infraction. They want to use those big fines only when they can’t achieve compliance in other ways. Ms Denham says: “Fining a top whack is not going to become the norm.”

New obligations

As well as putting new obligations on businesses collecting personal data, GDPR gives the individual significantly increased power to access information that’s held about them. Currently, a charge of £10 can be levied by a business faced with a Subject Access Request (SAR). That is being scrapped. Not only must the job be done free, it must be done within 30 days.

The foregoing is reassuring but not entirely. The ICO promises to play nice if we are all good boys and girls. Of course, 99% of us will be , but we will also be unsure if we have got this new beast under control until a test case occurs, at which point things could get messy.

Then there’s the law of unintended consequences which governments everywhere unfailingly pass. Smartpipe, a customer data intelligence specialist, has warned that the American technology giants could prove to be the first beneficiaries of GDPR, thanks to their sheer size.

European companies will be reliant on outside partners to create targeted ads and will need to obtain user consent each time they data-share. The US monsters do not have this constraint because they are not reliant on third parties.

Nice one guys! You have been trying to give control of data back to John and Janet T Public and, whoops, managed to do the precise opposite. Oh, but there’s more!

How will consumers use the new regulations, and that is ‘use’ in the unpleasant sense? There are predictions being kicked around that claims for misuse of personal data could exceed the £30 billion compensation for mis-selling of payment protection insurance. That figure applies to the UK alone. Presumably the rest of Europe would be proportionately aggrieved and legally entitled to the same extent.

The law firm, Collyer Bairstow, has suggested that customers could weaponise the new regulations by inundating organisations with requests for personal data from large groups of people. That could cripple them because they would be legally required to spend all their time dealing with non-productive actions. There is also a crowd-funded non-profit organisation called NOYB (None of Your Business) the purpose of which is to take consumer privacy cases to court under the new rules.

Anyone who has read Arthur Hailey’s book The Moneychangers (first published 1975) will know how it works and that story applied to a bank in one American city long, long before social media was even thought of.

Consider then the idea of a steadily increasing proportion of the billion Facebook members sharing their dislike of, let us say, a major international bank. Or for that matter, Facebook.

All who have has spent time on social media could instantly see how this might be turned from a small event with the benefit of local media coverage into a worldwide calamity for a major organisation. Plus of course it’s totally legal.

Right to confirmation

Everyone will have the right to confirmation that an organisation holds information about them, access to that information and other supplementary information. A virtue has been made of the fact that the mega corporations will have to give users more control over their data. Unfortunately, the same applies to small companies which don’t have the financial muscle to defend themselves as robustly as, say, Google.

Private individuals will have the right to have their personal data erased. This will apply where the purpose for which it was collected has ceased to exist, where consent is withdrawn, where the data was unlawfully processed (see above reference to Facebook in Belgium.)

For the small business there are a couple of rules of thumb: one, don’t just send virtuous signals, actually be virtuous; two, be open and state that when people give you personal detail, it’s going on your database; tell people that they can be erased from said database any time they like. I predict that some businesses will start putting that information in larger type, as in ‘hey look, we’re the good guys’.