Nearly half of UK businesses (45%) claim to have put money aside to cover possible fines for not complying with the General Data Protection Regulation (GDPR) on May 25, according to data privacy and omnichannel data management group Ensighten.
When the update comes into force at the end of this month, companies in breach of the regulations face fines of up to 4% of annual turnover or €20 million; while these kinds of stomach-churning figures have been considered the reserve of public examples of the bigger, high-profile players in months and years to come, it seems British businesses are actively preparing for a strict and wide imposition of smaller penalties.
Worry about reputation
Should be companies be worrying so much about fines? According to the founder of GDPRPLAN.com, Micky Khanna, this isn’t the ICO’s (Information Commissioner’s Office’s) objective, and the real worry should fall to reputational damage.
“The ICO has gone to great lengths to state that their aim isn’t to give out fines unless the offence warrants so,” said Khanna.
“However, the reputational damage as a result of the negative PR – which there’s no getting away from, as we’ve seen with the ICO announcements on their website – that goes along with being found guilty of non-compliance is something that should be concerning if customers decide to leave and work with competitor solutions.”
When it comes to the root of the concerns, however, it derives from an apparent lack of readiness across the board, with 61% of respondents claiming they would apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.
Just 26% of the 152 marketers Ensighten spoke to were “very confident” that their data governance procedures were robust enough to be deemed compliant, while nearly one in ten (7%) admitted to not having implemented any GDPR-related actions yet.
When it comes to those are at least making some progress on GDPR readiness – 63% stated they had put new policies in place to increase the quality of data they receive after the deadline – less than half are enforcing new policies on partner data acquisition at present, which may leave them exposed to GDPR non-compliance after the fact.
An accountability issue?
According to Ensighten, one of the key reasons preparedness is so poor could be a lack of accountability, with research finding no real consensus among businesses regarding who should be in charge of GDPR overall.
According to respondents ownership was with the CEO (32%), the chief data officer (26%) and the chief marketing officer (22%); a mere 14% pointed at the data protection officer as the risk manager – yet this is a GDPR mandated position where organisers perform regular and systematic processing of data subjects on a large scale – and of these nearly a third (27%) had not filled this mandatory role.
The GDPR introduces consumer data consent requirements that give new power to consumers. If consumers do not explicitly opt-in to share their personal data, it could have a meaningful impact to businesses. However, the study shows that only 13% of marketers will provide greater education on data rights and responsibilities to consumers within their marketing communications.
Moreover, only one in ten (9%) marketers said that they would be using more frequent customer contact to educate or to request permissions of users. The insights suggest that while marketers are working to become GDPR compliant they are not educating their customers on why they need their data.
“Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent. GDPR is not just a legal hurdle to jump,” said Ian Woolley, chief revenue officer at Ensighten.
“Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now,” Woolley echoed.