The two most common questions I'm asked relating to the GDPR are: "Will the ICO be coming after me after the 25 May 2018?", and: "Can I expect the ICO to make an example of a company or companies after the 25 May 2018?".
There are many changes to expect from the GDPR, but the overriding principle of that of Accountability. The onus is on businesses to prepare for the GDPR. If staff don't know about the GDPR, how can businesses be accountable?
By next May the ICO will have built up its pool of investigation and case management personnel to ensure they can deal with the policing of regulations in reaction to public complaints, which will continue to be the primary generator of complaints to the ICO, probably more so than today.
As mentioned above, the training of staff is implicit under the GDPR. With this in mind, the IDM has built an online tutorial package, the Professional Certificate in the GDPR and ePrivacy to help your business prepare for May 2018 and beyond. Once completed you will understand the principles of the regulation and the effect it will have on your business and your marketing campaigns.
So what will the environment look like after May next year?
From a marketing perspective there are some industries which will look very different to today.
The outbound cold calling telemarketing industry will further transform. Perhaps surprisingly, cold calling will still be permitted if the company calling can show it has Legitimate Interests to call, but then must give a clear unsubscribe or opt-out.
The list rental or list broking industry may be hit. It could be that under the GDPR you will need explicit consent from individuals, with details of who data will be shared with clearly shown. This could make consent wording problematic, but we will have to wait for the final version of the ICO's GDPR Consent Guidance for clarification on this point.
On the positive side, consumers should feel greater empathy and trust towards a brand when they know it is compliant with GDPR. Companies will need to increase data security. Membership of trusted bodies like the DMA will help businesses show their customers that they take data security seriously. In the event of a breach, showing a thorough Privacy Impact Assessment will show the regulator that your business has taken steps to minimise risks to customer data.
One new industry already growing is based around selling your data to be shared or renting to other organisations. "What am I worth" is a concept which would put a value on your information. Companies pay a set amount of money for your consent to having your data shared amongst a group of companies. You would be paid dependent upon the amount and type of data you provided.
One thing is for certain, the GDPR will create a world of change, and those that fail to meet customer expectations and the standards of the regulator will suffer. Consumers will most likely move to those businesses that have embraced the regulation and trained their staff in what is and what isn't compliant, and how it relates to their day to day working practises.