I’ve recently read a report where the headline stated: Only 28% of firms say they are compliant with the GDPR today, with 30% “close to compliance”. It’s a shocking statistic. It’s even worse when you realise that, in all probability, a significant proportion of the 28% is wrong and they are not compliant. If you are in email marketing, I’d suggest checking to make sure you know precisely your level of compliance.
Penalties aside, although four percent of annual revenue is difficult to ignore, the damage to the confidence your subscribers, should you be prosecuted, will probably be even more serious for you. Ensure you are compliant. If you are, tell everyone.
The ICO is the place to go if you want to check your systems, and, without a shadow of a doubt, you want to check your systems. They produce a handy self-assessment: see https://ico.org.uk/for-organisations/sme-web-hub/checklists/data-protection-self-assessment/
It’s designed with SMEs in mind, although the GDPR applies to everyone of course. For those of us with the data from subscribers to email marketing lists, the need to ensure we comply is essential. They publish individual checklists for individual processes: controllers, information security, direct marketing, records management, data sharing and subject access, processors, and finally CCTV. As normal with the ICO, it is all couched in easy to understand English.
There are a number of benefits to us of completing the checklist, the main one being, I would assume, peace of mind as at least you will know. What percentage of the firms who said they were compliant had completed these or similar checklists we have no idea, but I doubt they all have. Yet all it takes is a few minutes of your time.
If the regulator pays you a visit, for whatever reason, and you produce the completed checklists, with follow-ups of those entries which you ticked as ‘Not Yet’, or ‘Partially Implemented’, it will show that you have taken the matter seriously. We in email marketing are vulnerable to accusations of non-compliance with the GDPR and if we do fail, demonstrating you, as an SME, did your best will probably help, but no promises.
