Stress was amplified because many companies couldn’t work out what was required either, adopting the sledge-hammer to crack a nut approach.
The GDPR was hailed as a huge change. This, the pundits claimed, would change emailing for ever. Make the world a brighter place for consumers sick to death of inboxes flooded with spam and other irrelevant information they didn’t recall signing up for in the first place.
And the GDPR people and the UK’s Information Commissioner waved a big stick. From now on, non-compliance wasn’t so much ‘catch us if you can’, but eye-watering sums of money designed to penalise big companies that stored our data carelessly or maliciously. Companies can be fined up to 4 percent of their annual global turnover or €20 million, whichever is higher.
By standardising data storage and enforcing good practice, the requirements promised to “reshape the way in which data is handled across every sector, from healthcare to banking and beyond”.
But GDPR has a Y2K feel to it. For those of you too young to remember, companies went into a tailspin ahead of the year 2000 because it was feared the date ‘2000’ would be too much for computer systems which would reset to ‘1900’ instead, when in fact very few problems were reported.
And despite all the threats, a prosecution for non-GDPR compliance has yet to be carried out (as of 7 June 2019), and professional spammers still send their nuisance emails from outside the EU and the US.
Many companies have chosen “legitimate interest” as their basis to continue. What is legitimate interest? It is one of the six lawful bases for processing personal data. Because it is not centred around a particular process (i.e. performing a contract with someone), it is more flexible and in theory could apply to any type of process.
And the lack of understanding of what it actually means to the general public when in the workplace is astounding. HR departments, for example, handle lots of information from recruitment to employer references, record-keeping and performance monitoring, and it is vital they explain what they do with the data to not only employees but anyone applying for a job.
But none of this is to say companies should be complacent. GDPR is not a single event--it’s a continual compliance process where companies monitor their data storage and especially breaches, which must be notified to affected individuals within 72 hours. There is also emphasis on opt-in, rather than this being the default
And those who took the threat of GDPR serious now have cleaner, more targeted marketing bases which works in their favour. Who wants to send out newsletters to those who aren’t interested and are unlikely to buy? It will be interesting to see how this plays out in the next few years.
Perception SaS offers cloud based software or subscription bureau services, which--naturally--is GDPR compliant.