A toxic mix of inertia and perceived inaction on the part of the Information Commissioner’s Office threatens to trigger a bombardment of data repermissioning campaigns over the next 12 months as companies finally discover what they need to do to be GDPR compliant.
The ICO has said it will publish its final consent guidance later in June, but that gives companies less than 10 months to get their plans in place. Other key guidance will follow that, including how firms can use “legitimate interests” to process personal data, which it has been claimed may force them down yet another route.
Earlier this week the RNLI admitted it had adopted the opt-in regime too early, despite seeking advice from the ICO, and is now rethinking elements of its approach due to the more restrictive approach the regulator is proposing. The ICO countered by by saying: ““When people are asking for clarity, what they often mean is ‘I don’t like that answer; give me a better one’.”
Industry sources are fearful that the ICO “go-slow” is leading to many firms simply putting GDPR compliance on the back burner. One insider said: “Most companies I speak to know they have to do something but all the time there is no guidance, their hands are tied.”
The claims are reinforced by a new study by Royal Mail Data Services, which shows that while nearly three-fifths (58%) of UK businesses are concerned that their own customer data may not comply with the new Regulation, over a quarter (28%) have no plans to approach customers for fresh permission to market to them while a fifth (20%) do not know whether they will seek fresh permission or not.
Royal Mail Data Services warns that by rushing to meet the 25 May 2018 enforcement deadline, there is the danger that consumers will be bombarded with permission requests from many different organisations that they may choose to either ignore or decline.
As a result, organisations may find themselves holding non-compliant, unusable customer contact data which could impede future communications with customers.
Royal Mail Data Services managing director Jim Conning commented: “With less than 12 months in which to comply with the GDPR, I urge all organisations to get moving with their repermissioning campaigns and compliance programmes.
“Managing customer contact data is a complex business, so it’s worth seeking expert advice to ensure future marketing communications are compliant with the new laws. By failing to act now, organisations not only run the risk of fines but also a loss in customer confidence resulting from the use of inaccurate, unpermissioned contact data.”
The research also finds that the use of data from third-party providers had declined by nine percentage points since 2014. Half of organisations (50%) now rely on their own first-party data to support their marketing activities, and 30% do not source or hold third-party data at all, making the need for sound guidance all the more urgent.
ICO rebuffs GDPR guidance failings despite RNLI rethink
ICO insists GDPR guidance will cover legitimate interest
12 months until GDPR D-day: compliance fears rocket
12 months until GDPR D-day: still not too late to act
GDPR countdown fuels warning of 4,500% rise in fines
84% of UK SMEs have still not heard of EU data reforms