Today I am at PM Forum South West hosted by law firm Foot Anstey in Bristol listening to Rhodri Evans (Cyber Security Lead at PwC) giving his insights on GDPR. His advice towards GDPR is to simply see it as a risk - how much risk are you willing to wear? If you are happy with massive risk do nothing. If you want to reduce your risk then make a plan.
As I am sure you know, the fines connected with GDPR are punitive - 4% of group annual turnover or 20 million Euros (whichever is higher). There is a requirement for mandatory breach disclosure - if you make a mistake you have to own up to it within 72 hours. Keep mucking up and the regulator is going to get very interested. GDPR is a far more invasive regulation than what has come before.
Here are some of the key risks we need to be aware of according to Rhodri:
- There is now the possibility of US-style class action for privacy breaches. Rhodri mentioned that firms are calculating £1,000 per mistake. Importantly a complainant does not not need to prove distress - 'I was really upset' is enough. Threat of ambulance chasers looking for 'next PPI' opportunity is worrying. Maybe no win no fee?
- The regulators have far more teeth and, through higher fines, far more cash. Also they are no longer afraid of unsetting a firm as GDPR applies across multiple geographies.
- There are a lot of FUD bombs being dropped - FUD = Fear, Uncertainty, Doubt. Feels a little like Y2K. Importantly you must be able to know where all your data is, know what you can do with it and be able to move it or delete it.
Here are some PWC benchmarks - This is from a survey of firms across the UK:
- 86% without vision or strategy for GDPR compliance
- 91% not prepared for privacy by design
- 79% are not confident about accuracy of personal date
- 89% not disposing of data in accordance with Data Protection rules
- 93% not prepared to satisfy accountability requirements
Areas marketing professionals should focus on:
- Know the data you have, where it is and who has access to it
- Map where your personal data is located (it has to be stored within EU). Don't use a consumer free-to-use solution like free Dropbox
- What third-parties are you sending personal data to - have you done proper due diligence?
- Do you understand the risks connected to the data you have got?
- Do you have a contract in place?
- Is data being used for purpose you have committed to
- Do you do a privacy impact assessment - are using the data in the way in which you have consent?
Thank Rhodri - some great stories and actionable advice on what to do.