May 25th 2018, the GDPR enforcement date, has passed and the sky didn’t fall. The panic and media attention around the new regulation have died down. Suddenly, the GDPR feels like the Y2K disaster that never was. But is that really true? Can marketing teams breathe easy and take a step back from personal data privacy and compliance? The answer is no, and here’s why.
GDPR and Y2K - The big difference
We are hearing one phrase more than any other when it comes to the GDPR at the moment: “GDPR is just like Y2K. Big panic that disaster will strike and then nothing happens.”
Let’s just remind ourselves of what Y2K meant. In 1999, there was concern that when the new millennium kicked off all computers including your PC, onboard facilities on planes, government devices and everything else would malfunction and therefore disaster would occur. Today, we know this didn’t happen and Y2K is known as the disaster that never was.
The only similarity to the GDPR is the fact that both had a D-Day - 1/1/2000 and 25/5/2018 respectively. And perhaps that the hysteria created around both days was bigger than it needed to be. But seriously, that’s where it ends.
The GDPR compared to Y2K is very real. It’s is a law that has come into force. Businesses have to adhere to the rules and have to change how they work with personal data going forward. While the news cycle may have moved on and hysteria has died down, the enforcement of the GDPR hasn’t.
What happened after 25/05/2018?
The point of this article is not to scare anyone, it’s to show that the belief that the GDPR has no bite and will not be enforced is untrue. My advice to you is simple, if you haven’t completed your GDPR compliance project, you need to get started. The legislation is being enforced as we speak:
Just 5 days after the deadline, on May 30th the first ruling came in. ICANN (WHOIS / The Internet Corporation for Assigned Names and Numbers vs EPAG. A German court ruled that EPAG is not obliged to collect additional personal data.
Cases have been filed by Max Schrems, Noyb.eu and La Quadrature du Net against the likes of Facebook, Instagram, Whatsapp, Google’s Android, Gmail, YouTube, Google Search, Apple, Amazon and LinkedIn across different European countries.
US businesses like the LA Times are as of writing this post still not providing services to European visitors. They are willing to forego advertising revenue until they are sure they are fully GDPR compliant.
And if you feel the GDPR is only affecting big businesses:
France has seen a 50% increase in the number of complaints in relation to data privacy and Austria has seen 100+ complaints and 59 breach notification filed in the month post May 25th (that’s the same amount they’d receive in 8 months usually) according to GDPR.ie.
From a home perspective, Helen Dixon, our Irish DPA, said this in May 2018: “There will be fines, and they will be significant.[...] I think it is quite clear that when we do identify an infringement that’s of the gravity, duration and scope that is serious, then we are obliged considerably to administer an administrative fine.”
These are really just a handful of examples of how businesses, privacy advocates, courts and citizens like you and me are using the GDPR to ensure that personal data is handled as it should be. They demonstrate the reality of the GDPR and the need to become compliant as well as maintaining compliance.
It’s not too late to get compliant
It’s never too late to become compliant! Compliance is an ongoing processes and many businesses are only now starting to wrap their heads around it. So if that’s you, you are not alone. But you really need to get your compliance skates on!
Often, the GDPR is left with the legal and / or IT department of the business. And while both of these have a big part to play, commercial teams like sales and marketing have to up their compliance game, too.
Most sales and marketing teams today collect data online through forms like a “contact us”. Ecommerce businesses, of course, work with order forms that collect personal data. This data is often pulled into a CRM system where it is processed. This processing may include order fulfillment, invoicing or using the data to make a sales call or send a marketing email. Regardless of whether you are working in a B2B or B2C business and regardless of whether the order is fulfilled in Europe or not, if your business in based in Europe the GDPR applies and has to be included in your sales & marketing tasks.
The first step to becoming compliant is to understand the law. Easier said than done, right? The difficulties for many marketers are around avoiding miscommunication and myths as well as finding information that explains the GDPR in human-speak, not legal.
MII together with BusinessBrew understands this; we are marketers not lawyers. Our online course is based on my experience as a Privacy Professional accredited by the International Association of Privacy Professionals (IAPP) and ISO standard 17024:2012 as well as my experience as a marketing strategist. This mix means that I can explain the GDPR in human-speak as well as give you real life sales & marketing examples applying the regulation. The next intake for the online course starts on 13th August, be sure to register your interest here!
About Nikita Smits-Jørgensen
Nikita Smits-Jørgensen is co-founder of inbound marketing and GDPR consultancy BusinessBrew. While being ISO certified in privacy regulations for sales and marketing (GDPR / PECR) she aims to work with marketers in plain English to get GDPR-ready.
Nikita met fellow BusinessBrew founder Evelyn Wolf during their tenure at inbound marketingpowerhouse HubSpot where they assisted businesses of all sizes and industries as well as marketing agencies in building their lead to customer generation funnels.
BusinessBrew is geared to help companies make the most out of their inbound marketing and privacy efforts in the most time and cost-efficient manner through workshops, training and the delivery of strategic playbooks.