The EU's attempt to unify data protection with a single law, the General Data Protection Regulation (GDPR), has created a problem for any organisation holding information on members of the public.
It is a big and complicated problem that will mean reengineering data protocol and rewriting or buying new software – and if it is not overcome successfully, heavy fines will be applied. Worst of all, there is almost nobody to help.
The particular challenge was identified following a briefing by a compliance officer of the Information Commissioners Office (ICO) at the headquarters of the Direct Marketing Association. After running through the not insignificant list of compliance tasks the regulation involves, each of which can be considered to involve a significant job in its own right, someone asked what sort of consultancy support is available to help.
It is possible to get a good indication of the answer to the question by looking at the basic numbers involved. There are more than 360,000 companies, plus charities and other organisations that need to change data protocol and much else to meet the new compliance standard.
There are perhaps 200 individuals that have the data compliance experience and understanding of the technicalities of what needs to be done to prepare for GDPR. Most are embedded as data protection officers or in-house consultants. That leaves as few as 20 people to provide hands-on support.
The knowledge aspect of the challenge will, to some degree, be offset by the written and video guides produced by the ICO and trade associations. The DMA will incorporate EU data law into its well-regarded, constantly-touring data compliance roadshow.
But there is a big difference between knowing what you have to achieve and taking on the task. For example, if data is used for marketing purposes it will be necessary to contact every individual there is a file on to ask them to agree to the new enhanced level of opt-in consent.
There will be very few second chances to get this right if consumers either ignore or reject the request. Failure to use the correct tone and content, or use of the right promotional premium to entice a positive response, will mean to all intents and purposes that customers and prospect will be gone forever.
That means valuable data that may have taken years to build has to be erased. It is not the sort of thing to risk based on a PDF guide or advice on YouTube.
There are other tasks to be completed, such as amending CRM systems, to be able to store individual consent forms and create a gateway for individuals to request and have information on them removed as part of their ‘right to be forgotten’.
There is plenty of research from the EU, ICO, Direct Marketing Association and even the Ministry of Justice highlighting the need and costs of appointing data protection officers, training marketers on GDPR, and utlising specialist consultants.
The only thing is there are no EU data law protection officers to recruit, nobody to train the trainers, and consultants are extremely thin on the ground.
Many data owners will presume they can get IT suppliers or data supply companies to sort all this out. They normally have someone that comes bolted on when buying whatever it is that is needed. Ordinarily that would be a good option.
Data providers do offer consultancy, but in this case the majority are unprepared for GDPR themselves, and face a huge task in salvaging their own data. IT specialists will be able to build or amend a CRM system, but they will not be able to handle the communications aspect of GDPR compliance.
It is convention in this type of editorial for the author at this point to make him or herself look very impressive by pulling the proverbial rabbit out of the hat, and announce the perfect solution to the problem. Except this author cannot do that because there is no such rabbit.
The next best thing is to advise that steps should be taken immediately to become as familiar as possible with GDPR, undertake research and hire in help as soon as possible.
There is still some consultancy capacity available, but when full details of the data law are published in the New Year, resources are likely to be snapped up – and from then on it will only be available at a premium for a very few.
Unless businesses are already on top of the EU compliance process, or have the confidence go it alone by attending seminars and relying on video and written guides, then time is running out for obtaining qualified assistance.
Sourced from Dene Walsh, Operations and Compliance Director, Verso Group