The Post GDPR Panic
With such a long time to plan for the biggest shake-up of data protection laws since the introduction of the Data protection act and the Freedom of Information Act, so many organisations, both large and small have left implementation and compliance right until the last minute, with many more missing the deadline. Anyone who processes the data of an identifiable individual in the EU, must comply, no matter where the processor happens to be in the world. Needless to say, web designers and marketers are amongst many who’ve had to fundamentally reconsider how they’ll operate post-deadline.
While the prospect of being fined the headline figure of 20 Million Euros, or 4% of a company’s turnover (whichever is greater) for failing to comply might have been enough of an incentive to make arrangements, it seems that even very large organisations have allowed that deadline to sneak up on them. Leading to a last-minute dash to compliance.
As anyone who’s ever done their homework on the bus, on the way to school, on deadline day will know, a rushed job is often not your best work.
There’ll be no ICO hunt for ‘Heretics’
First of all, don’t panic. The Information Commissioner’s Office, the body responsible for data protection issues in the UK, is a watchdog with teeth, but it only bites reluctantly. Even before GDPR, the ICO stated that they’d rather inform and advise on compliance rather than use their powers to fine and sanction.
While everyone is getting used to the new rules and how they are applied, mistakes are going to be made and it’s unlikely that the Information Commissioner will be hunting down and fining small businesses who’re demonstrably trying to do the right thing. But do make sure you can demonstrate your good intent.
Things we’ve been seeing
At Falkon, we took the trouble to read through the legislation, get advice and even speak to the Information Commissioner’s Office itself in order to get the best advice when considering the strategies and compliances in place for ourselves and our clients.
However, it’s clear that not everyone took this considered approach. The hashtag #GDPRfail is already proving quite popular!
It’s early days yet, but with data protection in mind, it’s been surprising how many things we’ve seen which could have been done better and how many things we’ve seen which suggest that those engaging in using personal data seem to have no awareness of the changes in the law.
There are three main groups of ‘doing it wrongs’ – those who’ve ignored GDPR completely and are likely to come unstuck when it catches them up, those who’ve overcompensated through either panic or poor advice and those (outside Europe) who’ve simply declared the entire continent a no-go zone to avoid having to deal with issues of privacy.
Ignoring the GDPR Deadline
Anyone who has a phone, will at some point have received unsolicited calls from companies they’re never heard of, often speaking in thick accents and on terrible lines attempting to find out information or engage in business of one kind or another.
Having a business phoneline more or less guaranteed that there’d be at least a few such calls each day. We were hoping that, post GDPR, that these calls would dry up and there do seem to be fewer, however, they’re not gone entirely. We had a cold call last week from a company in Sheffield. When asked from where they’d obtained our information, specifically the name of the Director for whom they’d asked, they blithely said that they’d been passed the information from another agency and it was OK because they look after information carefully.
It seemed pretty clear that the agent we spoke to had not had any briefing on the implications of the new rules. Perhaps the call centre is going to be run until it gets closed down, which is pretty risky given that the Information Commissioner’s Office was actively going after Directors of call centre companies even before GDPR hit.
Overcompensating for GDPR
The other extreme we’ve seen, is the complete shutdown of anything which might contain personal data. In effect, there are companies and individuals, who, rather than find out what they need to do, have thrown their hands up in the air, closed down their websites and deleted their mailing lists.
Pretty much anyone who has an email address will have had an inundation of ‘opt-in’ emails. However, not all of these were entirely appropriate or even necessary. The reason being, that, so long as your business had collected addresses properly and put some very simple steps in place (many of which are easily actioned using the popular email management tools) and had a legitimate interest in contacting the addresses stored, then in many cases, there was no need to ask users to opt-in again and or to delete those who didn’t. There will, however, have been many email marketers who’ve been dismayed at how few people, when asked, have chosen to ignore their carefully crafted opt-in email.
Refusing to deal with GDPR
Another huge overcompensation has been seen on some websites outside the EU. Rather than get with the privacy zeitgeist, they’ve chosen to block visitors in Europe from seeing their sites. This shows a particularly short-sighted approach and it’s a little surprising that some very large websites, from very wealthy foreign media organisations, have taken this option rather than putting some of their considerable resources into doing things properly.
While the internet is full of businesses complaining about ‘this GDPR thing’, companies based outside the EU burying their heads in the proverbial sand are probably only delaying the inevitable. The move towards privacy, while being a bit of a shake-up, has been as widely welcomed as it’s been complained about.
We expect to see many countries around the world using GDPR as a model for their own privacy policies. Given that anyone who deals with anyone based in Europe will have to comply anyway, this makes complete sense and any business who switches off Europe as a way to deal with the changes is only delaying the inevitable. Making themselves less competitive in so doing.
Degrading the user experience
Have you visited a website recently which you’ve happily used many times before and been greeted with a big ugly ‘privacy/compliance’ box blocking the screen? Maybe you have no idea what it said, because you were too busy trying to get to the place you wanted to go, hurriedly clicking ‘Agree’, perhaps with a little irritation at being interrupted. Yep, us too!
It seems website owners are so caught up battening down the hatches, they’ve forgotten that pop-ups which block too much of the screen degrade the user experience. Only a few months ago, Google and Chrome started filtering out disruptive ads etc in an effort to make the internet a less annoying place to be. Could these over-large pop-ups lead to losses in rankings as a result? Time will tell!
GDPR – Doing Privacy the Right Way
At Falkon, we’ve helped many of our clients stay on the right side of the new regulations when it comes to the digital side of their businesses, without losing them their hard-won customer databases or annoying their site visitors.
With so many of our client’s competitors having taken more extreme options and leaving themselves less competitive as a result, this will doubtless lead to the companies who’ve taken the trouble to familiarise themselves with the new regulations and taken a smart, considered approach to their obligations, to prosper at the expense of those who haven’t.
If you’d like to speak to us about data protection and privacy as it applies to the digital side of your business, feel free to get in touch with Falkon and find out how we can help you to keep compliant in this new age of privacy.