Simon McLaven, CEO of The Ark
We have all read the plethora of statistics that point to the country’s lack of preparedness for GDPR. Yet speaking to many data managers, CIOs and compliance officers over the last few months, I do not believe that this corporate inertia is simply a matter of marketers burying their heads in the sand. There is a growing feeling that all levels of the organisation – from backroom to boardroom – remain genuinely unclear about certain aspects of the Regulation, especially the issue of consent, and that this confusion is paralysing compliance efforts.
Sadly, firms are being deterred from progressing with the necessary overhaul of their strategies and systems due to the dearth of detailed guidance on the practicalities of GDPR implementation. The DMA Group has recently added their voice to calls for greater clarification – from the ICO in particular – to bring an end to this state of limbo. The RNLI case – where a database repermissioning project from last year may fall foul of newer guidelines – will cause increasing frustration among marketers (and rightly so) because it penalises what should be a laudable, best-practice example of proactivity. This type of publicity sends out all the wrong messages, actively discouraging organisations from giving the green light to their plans for fear of having to go over the same ground twice. Let’s hope that common sense prevails.
Put simply, the ongoing uncertainty is no excuse for delaying all GDPR preparations. In fact, waiting for guidance about the opt-in model could mean losing valuable time in the race to shape up for one of the most basic elements of compliance – data quality. The overarching principle of data accuracy is enshrined in the Regulation in crystal clear terms: Chapter II, Article 5 (1d) states that personal data must be kept accurate and up-to-date, and that “every reasonable step” must be taken to make sure that inaccuracies are “erased or rectified without delay.”
This means that databases must be maintained to the highest possible standards which includes suppressing or updating the records of deceased or goneaway customers. This is an area in which many companies have become complacent, believing that the legacy suppression files they have relied upon for years will do the job. It’s a risky assumption – and at worst could lead to a technical breach of GDPR with its hefty financial penalties. Aside from the commercial benefits to be gained by boosting the accuracy of customer data, it is also worth bearing in mind that healthy databases will be the cornerstone of any repermissioning exercise. With the costs of customer acquisition set to rise in the GDPR era, now is not the time to lose track of valuable, opted-in customers when they move home.
The clock is ticking and companies that push ahead with their preparations now – especially in the fundamentals of database management – will reduce the likelihood of being thrust into a reputation-damaging, last-minute compliance panic as the enforcement date looms.