Are we there yet?
Given the considerable amount of information being published each day on the GDPR, anyone with an email marketing list or data on employees might well think that the legislation is live now. Yet we still have weeks to go.
Or do we?
There’s a website I use for research that has a page dedicated to the GDPR and its impact on medium to small firms. It is not specific to email marketing but much of what it contains is relevant. On the top of the landing page, just below the banner, is a countdown clock. It currently shows in excess of 50 days before the GDPR is live.
I don’t think this is helpful. It gives the impression that we have over seven weeks of pre-GDPR freedom. This is far from the truth. To all intents and purposes, the GDPR is now. 25 May is only an indication of the day that penalties start to be of consideration.
If you receive personal data from another company you will, no doubt, have received an email or letter saying something similar to one I received:
‘We are unsure if you have completed the process of becoming GDPR compliant. Under the law, we are unable to work with processors who are not GDPR compliant. Can you confirm that you are compliant or, if not when you expect to be? Until we have confirmation we will be unable to work with you.’
To many companies, especially those which are compliant, the GDPR is live now. You can understand their reluctance to put their own interests at risk just because a company is not that bothered.
One way of looking at the current situation is that it is a massive opportunity for a well-run company to put one over the unprofessional ones.
You can still find offices with poorly maintained servers where the essential patches have not been applied. Their anti-virus is cheap, even free, and they have no firewalls. Personal data is printed off without record and stored on desks for all to see. Staff would know little or nothing about cybersecurity.
This is not unique to email marketing of course, and is not restricted to medium-sized companies; if anything, just the opposite. I am told that many legal firms operate at this level.
Whilst the ICO is unlikely to target the smaller companies in the first instance, although don’t quote me on that should the worst happen to you, there is the possibility, likelihood in fact, of civil actions.
When you receive the email asking if you are compliant then you should be able to state that all your systems comply with the GDPR. Give contact details for your DPO or someone who has responsibility for receiving queries on the Regulations. State that all your staff have been subject to a course on their responsibilities. Be forceful in your preparedness and you will probably stand out from others companies.
We are there now. In fact, we’ve been there for some time. 25 May is a date of no significance.