Information Commissioner Elizabeth Denham might be trying to play down the threat of massive fines for breaches of GDPR but it appears UK businesses are not taking any chances, with nearly half (45%) claiming to have put money aside to cover possible penalties for not being compliant by May 25.
So says a new study by data privacy specialist Ensighten, which investigated UK marketers’ attitudes to data governance.
It found that over three-fifths (61%) of respondents would actually apply for an extension on the deadline if they had the choice – despite the two years’ grace period they have already received – due to mounting fears that they will not meet GDPR requirements in time.
Just over a quarter (26%) of UK marketers state that they are “very confident” that their data governance procedures are robust enough to be deemed compliant. The majority of businesses are doubtful the will be compliant on time and to the right standard, and nearly one in ten (7%) admit to not having implemented any GDPR-related actions yet.
For those marketers that are underway with their GDPR preparations, 63% state they have new policies in place to increase the quality of data they will receive after May 25.
However most businesses are not thinking holistically and exposing themselves to risk. Fewer than half (47%) of marketers are enforcing new policies on partner data acquisition, which may leave them exposed to GDPR non-compliance.
Ensighten chief revenue officer Ian Woolley said: “Unfortunately we found that brands are aware, but still uncertain in their final month of GDPR preparation. The good news is that brands still have time to deploy and optimise customer privacy and consent options on their websites.”
One of the reasons for the apparent lack of GDPR preparedness may be due to accountability. The research found that there is no consensus among businesses regarding who should be in charge of GDPR overall.
According to respondents it was the CEO (32%), the chief data officer (26%) and the chief marketing officer (22%). A mere 14 per cent cited the data protection officer as the risk manager – yet this is a GDPR mandated position for organisation which perform regular and systematic processing of data subjects on a large scale – and of these nearly a third (27%) had not filled this role.
The study also suggests that while marketers are working to become GDPR compliant they are not educating their customers on why they need their data.
Only 13% of marketers will provide greater education on data rights and responsibilities to consumers within their marketing communications. Moreover, only one in ten (9%) said that they would be using more frequent customer contact to educate or to request permissions of users.
“Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent. GDPR is not just a legal hurdle to jump. Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now,” Woolley added.
ICO to publish final GDPR consent guidance in 2 weeks
Privacy chief Denham hits out at GDPR scaremongering
DMA demands answers over threat to third-party data
ICO stands firm on ‘over strict’ GDPR consent guidance
Third-party data crackdown will wreak havoc says DMA
DPN joins calls for more urgency over GDPR guidance
UK bodies publish GDPR ‘legitimate interests’ guidance
GDPR fears mount over delay to ICO consent guidance
Industry on alert over third-party data legal crackdown