What’s next for the EU GDPR?

On Friday February 26th, I joined about 30 other marketers at the DMA Data Protection Conference and of course the words on everybody's lips was "GDPR".

Unfortunately, for those who were hoping to walk away with all of the answers, there are just no answers to be had at the moment. Check out one of my previous blog posts about GDPR which explains the process behind defining the new data protection laws. The final language has been agreed in Brussels but it is currently being translated into the official member languages. This is a painstaking process because it is more than just translating the actual words but also the intended meaning behind the words.  We are expecting this process to last until June or July. We know that we will have two years to implement the new regulations but the clock has not yet started and won’t until these translations are signed off.

The lack of final language has already made many in the email industry, especially those based outside of the EU, hold back from beginning their planning. This is further exacerbated in the UK with the pending “Brexit” vote. The message coming out of the conference is that neither of these are a reasonable excuse to delay. A lot of the work that will need to be done over the two-year implementation time will be technical development on data bases and other systems. The changes are likely to be significant enough that two years will not be enough time. Take this extra three or four months to identify which changes you need to make and get your plans in order. But the small changes to the language that may come out of the translation process can be accommodated before the final plan is signed off and development begins.

Delaying your planning awaiting the Brexit result is similarly a non-starter. Regardless of whether the UK is in or out of the EU, we cannot ignore the fact that the EU will remain one of – or if not -the largest UK trading partner. We will have to adopt a data protection law similar to the GDPR in order to be able to continue to trade across the EU. Given the complexity of the results of an out vote (which has been estimated at up to a ten year process) and the amount of negotiation that has just been completed on GDPR, it would not surprise me if the UK government just adopted the GDPR as written, even if only as a temporary measure.

Clearly there is no real justification for delaying your planning but knowing that and convincing senior management of that is two completely different things, which lead to one of the best questions of the day. I think Christopher Graham (the outgoing Information Commissioner) provided the best answer when he described the potential fines in the new legislation as “eye watering”. It was only recently that the UK ICO was granted the power to levy fines up to £500,000. The new legislation allows for fines up to €20 million or 4% of global turnover, whichever is greater. Now I do not suspect that the ICO will be looking to hand out big fines from day one on the new regime, but Christopher Graham’s term as ICO ends in about four months’ time and who knows if the new ICO will continue the practice of using the enforcement stick only when necessary.

Similarly, this will not be another cookie law implementation. Since that non-event a number of things have changed. Most prominently has been a change of the government’s approach to the ICO and the recognition that enforcement is only as powerful as the enforcer is strong.  The ICO has been given both the ability to charge larger fines and civil penalties and more importantly, the budget to hire the staff to investigate claims and charge those fines.

There is no denying that this will be a thing; a very big thing. The message at the moment is we may not know the exact detail but we know enough to get started.