The expert interview on why GDPR is changing business for everyone

Think you know GDPR? Think again – we interviewed Zach Thornton from the Direct Marketing Association to find out exactly why businesses need to have it on their radar.

The General Data Protection Regulation (GDPR) is coming. In less than a year businesses will have to change how they handle data or run the risk of huge fines. GDPR is an initiative from the European Parliament, the Council of the European Union and the European Commission, designed to put the privacy of European citizens first when it comes to personal data.

Personal data in this instance could be anything from mobile numbers and staff contact details to an email database you send special offers to. It’s about making your internal processes for collecting, processing and storing data more robust and conscientious. The same thinking applies to how you use the data externally, in sales, marketing and with 3rd parties.

Ultimately this regulation means data protection will become sacrosanct and there will be hefty punishments for those who don’t get compliant. But don’t despair, we’re here to help.

To cut through the myths and red tape around this new regulation and make it as straight forward as possible, we sat down and spoke to Zack Thornton, External Affairs Manager at the Direct Marketing Association (DMA), who tells us exactly why it’s so important for businesses of all shapes and sizes to get educated and get ready for GDPR.
Let’s start with the big numbers: Businesses can be fined either 4% or up to £20m of their annual turnover if they’re not GDPR compliant, which could be devastating for small businesses in particular. Do people realise the impact GDPR could have on them?

GDPR is concerned with giving citizens more control over their personal data. So, wherever personal data is being processed, whether you’re a large corporate company or an SME, it will apply to you equally.


This is a regulation that’s been created by the European Union – what’s the impact of Brexit on GDPR?

I think many companies were expecting that Brexit would delay or take away this regulation. Given the current timetable, we’re leaving the EU in March 2019 – that’s almost exactly one year after GDPR will apply in the UK.

After Brexit, it’s unlikely we’ll be seeking to leave it. Instead, we’ll be seeking an equity status, which means the UK is able to freely share and exchange data with EU countries the same as it’s able to now. To achieve this status, we’d need to offer similar data protection safeguards to other European countries. It’d be in our best interests to keep GDPR after Brexit. Don’t delay your plans. It’s here to stay.


What happens if you’ve got a business which does trading worldwide? Does the regulation still apply?

The GDPR will apply to any company, individual or business which is processing data about European citizens. So, if you’re using an American cloud server company, the law would apply to you the same as it would in London or Berlin. If you’re using cloud services where data is stored in other countries then you need to check that company is compliant with GDPR. It’s going to be in the best interests of companies in North America that they’re compliant so they don’t lose businesses over here. Many of the big tech companies like Google and Facebook have already spent a lot of time and money to make sure they’re ready for GDPR.


So, we know that the big companies are taking it seriously but is there anyone who doesn’t? Are there any big myths going on about GDPR doing the rounds?

There are two myths, one which we’ve been through already about people thinking Brexit means GDPR won’t matter. The second is regarding Business to Business (B2B) marketing. Research has shown that B2B doesn’t seem to think that GDPR applies. If you’re using personal data – work email addresses, work contact numbers, things like that, it’s still personal data.

What state are UK businesses in at the moment regarding GDPR? Are they ready? Aware? What’s the general feeling out there?

The more people know, the more they realise they don’t know. In reality, no one is going to be 100% compliant by 2018. There’s so much to do and the regulators haven’t given us the information we need to get there.

If you’re an SME company you need a vision. Use GDPR as an opportunity to transform your business. Make security and privacy part of your DNA. If you have a vision to do something positive and you’re doing everything you possibly can then you’re putting yourself in the best possible place. If you treat this as a box ticking exercise then invariably you’re not going to treat data responsibly and be accountable. That’s where you’re going to come across difficulties.


So GDPR should be seen as an opportunity for business transformation – security, your technology, your staff..?

Absolutely. It’s about business transformation. Look at your HR department and how people treat data. Look at how your marketing treats data. It needs to be driven from the top –the head of the company must believe in this stuff. Treat it with the importance it deserves.


We know that this is going to lead to a lot of positive change but what else will change with how we use and store data?

The threshold for consent is being raised significantly. So, marketers will find it quite difficult to achieve consent in many instances. Legacy data will be a particular issue. People have many, many databases full of data, some collected a long time ago. If you want to carry on using it after May 2018 it needs to be GDPR compliant. It means going out and getting them to consent to you having their details again – if you can’t get consent then you’ll have to delete the record

We’re moving into a time of less data, so data will come at a premium. Small businesses will feel it a lot more, since they don’t have access to large databases. SMEs and companies who rely on preset data contact lists will suffer too. If you can’t expand your list that way it’ll make it difficult to expand your business that way.


What about social media marketing? What if you have a large social following and use the data collected on your Facebook page in your marketing? Will you have to ask everyone for consent or delete and start again? How can they navigate platform-based privacy?

I don’t think they’ll have to start from scratch. I know that companies like Facebook and Twitter have spent quite a lot of time changing their privacy policies and they’re getting that fully aligned with GDPR.


So, social data handled externally by the platform provider is fine but what about a small business with locally stored data on a small network drive?

It could be advisable to speak to someone like the DMA or get in touch with a consultant security company. Ask for the top tips on how to keep data secure and make sure you’re fulfilling those. Probably the biggest problem in data security isn’t the fancy equipment or software, but the people with in the business themselves. SMEs don’t spend as much on security training as bigger businesses. Most breaches you hear about are because someone lost a laptop and it wasn’t encrypted – basic things that you don’t need a consultant for. Just make sure your business is made aware of how to keep data secure – encryption, don’t open certain emails – equip them with the basics. Human error is the leading cause of data breaches. Train your staff.


Will there be structural changes off the back of this then? Do you need to hire in a specialist in-house?

Some businesses will need to hire in-house if you’re processing large amounts of data. It could be a full-time member of staff or a consultant, someone who’s an expert on data protection laws and someone who can advise you.


What can SMEs do right now to get GDPR ready?

I think the most important first step is to audit the data you have. The big thing is to take accountability. GDPR requires that you have an efficient and robust record-keeping system. You should be able to prove and justify your compliance with the law – when someone consents to marketing you should have a screenshot showing that tick, attach it to a privacy policy they signed at the time and then have it secured in a database.

You can’t claim to be accountable if you don’t understand what your business actually holds. Where data goes in, where it goes out – build up a comprehensive view. Once you’ve done this you can work out what data you don’t need and then how you justify holding the rest.

Then you can start thinking about privacy impact assessments on marketing campaigns. How could a campaign impact someone’s privacy? Then you decide off the back of it. If you were pairing the data you hold with a third party then that would be high risk.


How do you find a trustworthy 3rd party to help you get your business on the right track?

The one thing I’d initially caution is that people would go out and spend a lot of money on law firms and it ends up being wasted money. They end up receiving advice with lots of caveats, which isn’t much different to what they could get for free online – you’re still left with lots of ambiguity.

So, if you’re going to go into a law firm or visit a consultant, make sure you have a really clear idea of what you want – which goes back to what we were saying earlier – a vision of business transformation. But if you go out there saying you just want to be ‘GDPR compliant’ then you get answers that are generic.


Once you know what you want to achieve, you’ve spoken to the experts, what can you do once you want to evaluate the data?

There are various types of consent mapping software out there at the moment – they map the journey of data in your business – how you gain it and how you store it, things like that. It has models for what messages you should use in the future when you contact customers.


If you search GDPR you get a lot of ads offering to fix everything for people. What are your top tips for finding out what’s a legitimate way of looking through the spam and finding a legitimate service?

The one thing I’m dubious of is when a company claims to be able to make you 100% compliant. I’d be suspicious of a company like that because no one can make a claim like that – there’s still too much to work out. Otherwise I’d be worried it won’t do what you think it will.

There’s no miracle cure.

Exactly. Meet with them first and get to know them before signing up.

We need to make people feel like exchanging their data with us makes us all winners. People accept in this world that nothing comes for free. But they’re angry that they have no control over their data. As a result, people feel like the modern-day economy is profiting businesses but consumers aren’t feeling the benefit.

Long-term, companies that go down that road now will be those who will succeed and thrive. Whereas those who show reluctance to be upfront will be the companies that fall by the wayside. Data protection and privacy will become more of a brand differentiator.


This is the first part of our series on GDPR. Keep a look out for more information, how to guides and a video on how you can successfully navigate GDPR and come out of it a safer, stronger, more successful business that’s ready for anything.