SBphotos - stock.adobe.com

Most UK marketers GDPR ready, but not all firms have a plan

Most UK marketers believe they are ready for GDPR, but a worrying number believe their employers may not be, as businesses are urged to embrace the positives a week before the compliance deadline

Some 81% of UK marketers are confident in their understanding and preparedness for the EU’s General Data Protection Regulation (GDPR), up from just 49% in 2016, a poll has revealed.

However, one in five (20%) of the marketers polled said their employers were behind schedule and would not be ready to comply with GDPR by 25 May. Worse still, 7% stated that their organisations still did not have a plan in place for GDPR, according to the latest report from the Direct Marketing Association (DMA).

The DMA has monitored the awareness and key concerns of the UK marketing community since 2016. It, and reports that there is a growing belief that the benefits of the new regulations to consumers outweigh the disadvantages to businesses, with more than half (52%) of marketers believing this to be true.

“It is encouraging to see that GDPR awareness and preparedness is at an all-time high, with marketers increasingly optimistic about the benefits of the new legislation,” said Chris Combemale, CEO of the DMA.

“GDPR is a fantastic opportunity for organisations to build consumer trust and highlight to their customers the benefits of sharing their data. Organisations should use it to build a culture within their business of putting the consumer first and improving their experience,” he said, echoing the view of the UK’s Information Commissioner’s Office (ICO).

It is promising to learn, the DMA report said, that 68% of marketers believe their employer is either on track or ahead of schedule with GDPR compliance.

In response to the findings that 27% claimed their organisations were either behind schedule or without a plan, Combemale said that while the ICO has stated that it will be pragmatic before handing out penalties, these companies must show evidence that they are doing everything in their power to be ready.

“Otherwise they won’t just be receiving fines from the ICO – they could lose their customers’ trust and be at risk of security breaches, with reputational damage posing a real threat to brand and share value,” he warned.

One of the biggest priorities for marketers and their organisations surrounding GDPR, the report said, revolves around staff training, with a spike in the past six months in the percentage of marketers who feel they have received appropriate training for GDPR, up by 21% from November 2017 to 54%.

But the report said it was a concern that despite the complexities of GDPR compliance and its impact on how organisations communicate with customers, more than a quarter of marketers polled (27%) have had no specific training to date, with 34% saying that more training was needed and approximately 68% saying that training would help their organisation comply beyond the deadline.

“The worst thing you can do is nothing – get started and do it logically, by following three key and simple steps: locate data, manage data and protect data”
Sarah Armstrong-Smith, Fujitsu UK & Ireland

“GDPR is a watershed moment for organisations as they strive to make data protection a core brand value,” said Combemale.

“That journey won’t end on 25 May, and industry professionals must continue to learn and adapt as they – and their consumers – get to grips with the new legislation. Therefore, ongoing training and support is essential for organisations to reap the rewards of GDPR,” he said.

With only a week to go before the compliance deadline, there is a lot of last-minute panic about whether businesses are GDPR-compliant or not, said Sarah Armstrong-Smith, ‎head of continuity and resilience at Fujitsu UK & Ireland.

“It’s easy at this stage for businesses to get side-tracked worrying about fines and forget that this regulation is ultimately a positive thing for them,” she said.

While it is important organisations do not underestimate the effort it will take to become GDPR-compliant, Armstrong-Smith urged organisations not to panic if they have not started yet. “The worst thing you can do is nothing – get started and do it logically, by following three key and simple steps: locate data, manage data and protect data,” she said.

Identifying what data they hold through data mapping is the top priority for organisations, she said. “Because ‘where the data is supposed to be’ and ‘where it actually is’ are two very different things – some companies still struggle with this. Many get caught up in trying to gather consent for everything, but if you’re going to prioritise, it’s important to start with anything that is a legal requirement – such as employee data, for instance,” said Combemale.

“Then, as companies get down to the core data they are legitimately supposed to have, the next step is to ‘cleanse’ the data, by amending and removing any data that is unnecessary, obsolete or irrelevant to the broader business, but all this is going to take time and resource,” she warned.

Finally, Armstrong-Smith said an immediate action that organisations need to think about is how they would manage in the event of a personal data breach.

“Even the best-run company could suffer from a hack or data breach – the right people, processes and technology will ensure organisations remain on the front foot for proactively identifying and managing threats.

“However, as simple as that sounds, many are still unsure of what processes they need to put in place to adequately protect sensitive data. They’re not alone. Leaning on experts is a great way of helping companies on their journey to becoming GDPR-compliant,” she said.

Read more about General Data Protection Regulation

Read more on Privacy and data protection