How U.S. based companies are tackling GDPR compliance and how they can decide which sources of guidance will help not hinder their efforts
Whether it is the release of the Republican memo on the FBI or a Super Bowl victory, you may have noticed that Americans are not usually in the habit of treating those two imposters, triumph and disaster, just the same. Hyperbole and excitement are followed by despair and trepidation before settling into an uneasy optimism. This cycle is often repeated over and over.
So it is with GDPR. While some are comparing GDPR readiness with Y2K preparation, perhaps a better analogy, certainly for those of us old enough to remember it, is the “1992” bubble. This was the year that the European Union’s single market came into effect. Many a conference organizer and publisher in the United States were able to exploit the misguided belief that American companies would be able magically to enter a market modelled on the U.S. economy.
Lawyers, marketers, business owners, and others are not short of information and advice on GDPR. And that is part of the problem. Direction and guidance are coming thick and fast from so many different directions that it is hard for the average executive to discern the truth from urban legends.
This is true to some degree for European-based organizations as well. But some things make it harder for Americans:
- As the rest of the world is slowly tightening data privacy regulations, the U.S. shows little sign of doing so. In fact, the trend may be in the opposite direction in the current political environment. That means that the technology infrastructure, internal knowledge base, or even mindset have often not been in place to support GDPR and companies are beginning from scratch.
- Major U.S. companies often feel ‘picked on” by European courts. This may result in an ultra-conservative view by some, while smaller companies may back out of European marketing altogether at least for now. I have seen both reactions.
- The sheer severity of the potential fines, far outweighing the penalties handed out to Wells Fargo Bank, for example, for truly egregious sales practices, adds to the nervousness. Wells Fargo, with almost $90 billion in revenue, were fined under $200 million for falsely creating over 3 million new accounts tied to existing customers. A level 1 breach of GDPR could cost them more than ten times that amount.
- Even smaller exporting companies, especially in e-commerce, tend to market across all European countries. While the harmonization of rules makes compliance easier in theory, in practice data integration, opt-in tactics, and other factors can make it harder.
- Finally, the sources of information are very diverse and so are networks where experiences can be shared. Where they exist, they are usually virtual and therefore without a solid basis of trust.
The very largest companies, of course, will have extensive legal and compliance teams throughout the world working on GDPR. This may well result in an alignment of standards across their global operations over time. In the short term, however, it is often leading to dysfunction and siloed activity. I have spoken to marketers in three Fortune 500 companies in the last month who are still waiting for the overall policy on consent to be handed down. And only then can they begin to react and make definitive plans.
Let’s try and look at the various types of external resources that are available, which need a health warning, and which are reliable. These are the main groups – which overlap to some degree,
- “One-off” blogs, tweets, posts and opinions from individual contributors
Almost everybody seems to be having an opinion on GDPR, and they are often valuable because they can provide a different perspective and good execution tips. However, you should treat them with extreme caution as far as definitive advice on the law is concerned. They usually come with a kind of “often in error, never in doubt” bravado. Another issue is that the “advice” is often repeated in other posts and so the errors become perpetuated.
- Vendor sponsored webinars and whitepapers
While most of these have an agenda – pushing services from data security to opt-in stratagems, or just trying to show “thought leadership” – this can actually be a benefit once you get to the execution phase of your compliance work. You will be able to evaluate them just as you would vendors for any other service. An interesting twist on vendor webinars came from Integrate – they hosted a webinar with a consultant from Sirius Decisions. The impartial content from Sirius was followed by an informercial from Integrate. Fair enough – the boundaries were clear.
One specialist group has been created, “Data Protection and the EU GDPR.” This is perhaps ground zero for confusion. The last time I logged in, it was dominated by posts from vendors, often with member comments contradicting the advice that was being given. Although there are some nuggets here (for instance a discussion that I hadn’t seen before on whether you can insure against GDPR penalties) it falls short of being a useful and much-needed forum where members (almost 10,000) can share experiences. The sheer plethora of pitches under one virtual roof is overwhelming. This is the wild west LinkedIn at its worst – a lot of content with no editorial oversight. Much better is the Data Protection Community group with tighter group rules and with a lot of professional input.
A number of trade publications have produced guides to GDPR, which provide a useful overview of the regulation. By now, their main value is giving a detailed by not overly technical guide for a more general audience not involved directly in compliance delivery. The white paper from “B2B Marketing” is one of the best. There are also plenty of books on GDPR. I saw one post recently which reviewed the “Top 15” books on our favorite topic. 15! By May 25th we will be outpacing Churchill and Lincoln as subject matter. There is even a “GDPR for Dummies.”
- Trade Groups and Associations
There are some useful industry-specific guides – but overall you can’t do better than follow and track the UK DMA’s blend of content, webinars, and news items. This will guide you as you seek professional advice to balance business objectives.
For U.S. marketers in particular, my advice on how to use the GDPR “information lake” is:
- Understand the principles of GDPR well enough to form a strategy
- Use more specialist data sources to develop a plan (process flows, project templates, and so on)
- Check with consultants and lawyers to ensure you are on the right track
- Use the Data Protection Network for best practices and the latest information from official bodies like the ICO
And finally, tune out the “fake news” and unhelpful opinions. And if you already think you understand a principle or process, there is usually no need to get a second opinion. More is not necessarily better.
Robert Howells, February 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.