Today (November 24) marks six months until GDPR (General Data Protection Regulation) comes into effect, and while some in the industry might think the point’s being laboured, others feel far from ready.
What’s agreed on both sides of the fence, however, is that the impact of the new regulatory update is going to hit hard.
To get a gauge on just how prepared the digital marketing industry is at large, PerformanceIN caught up with Micky Khanna, founder of GDPRPLAN.com, a consultancy service for companies of all sizes looking to get their data affairs in order ahead of May 25, 2018.
Hi Micky, with six months to go until GDPR comes into effect, it seems there’s still a big disparity in the level of preparedness across members of our industry...
Micky Khanna: There certainly seems to be a wide range of opinions regarding the arrival of the EU GDPR and what that actually means for companies I’ve spoken with – ranging from micro-small enterprises through to FTSE 100 multinational businesses.
An article published in Drapers Magazine recently - “GDPR- Are you Ready for D-Day?” - where the chief executive of one pure-play e-tailer explains that it began by “Seeking good advice about what to expect” is probably a good starting point, and GDPRPLAN.com helps companies to identify and assess the risks within their business so that they can plan and implement steps to ensure compliance.
Why are some companies finding it difficult to manoeuvre ahead of the change of regulation?
MK: It’s probably best to precursor this response and understands the 1998 Data Protection Act - in accordance to the 1995 Data Protection Directive - which was formed to ensure that, primarily, institutions and corporations were duly accountable for controlling and processing personal data - mainly credit information.
However, the unprecedented growth and impact of the ‘Digital Revolution’, including IoT, means that companies of any size including SMEs and micro enterprises have the ability to control and process personal data to pursue their business activities, whether it be for sales, marketing, human resources, customer service, or otherwise.
There are undoubtedly challenges which arise when going back through 20 years of personal data, and establishing the legal bases for obtaining and processing that data, and whether that personal data was ever transferred outside of the EU or EEA to a country with adequate protection and under binding corporate rules or under model contractual clauses. The EU GDPR states that companies have to respond within one month to Subject Access Requests [SAR] from customers and employees - either ex or current. It will certainly make for interesting times.
You’ve had an extensive career in performance marketing, so with that experience in mind, tell us a bit about GDPR Plan and your motives for launching it?
MK: Indeed, I have enjoyed an extensive career and I’ve been fortunate enough to have been part of an industry, since 2004, that has led the way in terms of delivering growth through transparency, measurability, and accountability - the latter also being the underlying “seventh” principle of the EU GDPR in fact.
However, despite the mass mainstream media and industry coverage around GDPR it was difficult to find an appropriate solution offered to all companies, so this triggered the decision to educate myself on the regulation, and after gaining certification as an EU GDPR Practitioner, I then completed my qualification in Certified Information Security Management Principles.
My resource partner Martin de Bruin brings over 25 years’ expertise within IT security and Information Governance, within the finance, insurance and telco industry. Martin trained me as an EU GDPR practitioner and with our collective knowledge and contacts, I saw an opportunity to deliver expert training and awareness of data protection and Information security.
One of the key requirements of the new regulation in terms of accountability & governance is staff training & competency, which is what we deliver to businesses and teach them to identify and assess vulnerabilities and threats to personal data within their organisation so that they can plan and implement the appropriate strategy that ensures their business is compliant. I believe that this proposition is unrivalled anywhere in the world of performance marketing, and which was my motive for launching GDPRPLAN.com.
What’s been the most common data concern among your clients so far?
MK: I would say that there has been a mixed response as to what the data concerns are for the businesses I’ve spoken with, but the confidentiality and security of personal data that is either stored or transmitted across an organisation repeatedly come up in meetings and conversations.
Also, educating staff about the importance of data protection and information security is a common request. A report labelled the 2017 Cyber Threat Defence Report quotes that “The biggest barrier to establishing effective defences is low-security awareness amongst employees”, followed by “lack of skilled personnel”. Not far behind these two factors is “Lack of Management Support and Awareness” which raises the question as to the awareness and knowledge of information security and data protection at senior management level.
Despite your efforts, do you think there will actually be a lot of ‘casualties’ when May 2018 rolls around?
MK: Opinions are well and truly divided on this! However, let’s look at this from the perspective that the ICO are investing heavily in the recruitment and training of staff to prepare for the EU GDPR - one article states that they are recruiting an additional 200 staff to add to the current 500. In another article for the Financial Times, Elizabeth Denham, the UK ICO representative, states that “data-heavy companies, government organisations that need new leadership in data protection [and] large consulting firms” had been poaching staff in anticipation of the new rules coming into effect.”
Will there be sufficient resource to cope with the demand as individuals - “data subjects” - become more aware of their rights under the new regulation which could result in mass volumes of Subject Access Requests? The ICO states in one of its recent blogs that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm” so maybe we should be focusing on the size of the fines issued rather than the number of casualties, and what happens to those companies who suffer the negative PR and publicity by the mainstream media. In the same FT interview, Denham goes on to say that “Even if there’s a £15,000 fine as opposed to a £3 million fine, there’s still reputational damage.”
What would be your one warning to marketers around GDPR, and your one piece of advice for readying themselves?
MK: The fines and penalties issued if found guilty of non-compliance or lack of accountability and governance should provide enough of a warning: DOING NOTHING IS NOT AN OPTION when it comes to the EU GDPR.
One piece of advice? Well, the first thing any business should have done by now is to raise awareness of the regulation to the key decision makers within their organisation. That should then lead to the assessment of how personal information flows throughout their business - both upstream and downstream - as well as across their organisation. Once these data flows are understood, documentation that records the level of severity of the weaknesses should help to make informed decisions as to how to ensure confidentiality, integrity, and availability in the storing, processing and transferring of that personal data, that should do for starters...
Will you continue to run the service after GDPR arrives?
MK: The EU GDPR states that If your organisation has more than 250 employees, you must maintain additional internal records of your processing activities. The regulation also states that if your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as processing personal data that could result in a risk to the rights and freedoms of an individual.
Given that there are 5.5 million UK businesses, of which 5.4 million employ under 250 staff, and 7,000 companies employ over 250 staff, I believe that there will be an ongoing demand for staff training and competency requirements around information security and data protection beyond May 25, 2018.