The lugubrious ticking of my internal GDPR Doomsday Clock struck a minute closer to midnight last week.
Tick, it chimed: “only 5 per cent of marketers fully understand what the GDPR means for their business.” Tock, it said: “50 per cent say they don’t really understand it at all, or [literally] don’t know.” The Chartered Institute of Marketing (CIM) drop a statistical A-bomb in my inbox, and all hope of anyone making sense of the biggest ever overhaul of data regulation, is gone.
It’s becoming painfully clear that many businesses – whether marketers or else – have neither the time, resources or know-how to deal with the EU’s General Data Protection Regulation. Implementation is 431 days away, and yet, the CIM/ YouGov poll finds just 11 per cent of businesses already have systems in place to ensure compliance. Almost a third of marketers are “clueless” as to whether their business has taken any steps to ensure they are so.
There’s been much talk of Silver Bullets in the last couple of years, but presently, businesses need a Gatling Gun full of them to mow down a hoard of political and economic issues before they even think about crossing this regulatory minefield.
There’s too much else happening. It’s noisy, so fingers are in ears. Subsequently, and distressingly, 9 per cent of marketers say there “have been mentions of it, but nothing has been formally discussed,” while 16 per cent “do not think GDPR is relevant to them.” As someone contemplating the scale of the approaching regulation daily, it is astounding. Am I going mad?
This sheer lack of understanding and preparation is an emphatically EU problem, born from a facile attempt to treat everybody the same, or, to “harmonise.” But it’s quite hard to harmonise when we’re still no closer to clarifying the minutiae of GDPR. The Article 29 Working Party, tasked with doing so, is yet to even provide clarity on consent and profiling. How are businesses to prepare, when the EU hasn’t even made clear what exactly to prepare for?
The Article 29 Working Party has promised to publish guidance on consent under GDPR, but it won’t materialise until later this year, bottlenecking the time to prepare further. Thankfully, the UK Information Commissioner’s Office (ICO) is trying to help alleviate the confusion, recently publishing draft guidance on the same subject.
The ICO guidance raises a pertinent point, which goes part of the way to explaining the UK’s present incertitude. Many of the practices identified as unacceptable are fairly commonplace in the UK – but not in somewhere like Germany, or Estonia. It’s far easier for some member states to comply with GDPR than others – to harmonise – yet we all have the same timeline. It is quite unreasonable for UK businesses to be prepared for what is, essentially, a cultural shift, in the same timeframe as those who have to make few changes. Especially when the finer details are so sparse.
The CIM report concludes that just 13 per cent of marketers are prioritising GDPR as a top concern for the year ahead, while 55 per cent are more concerned with Brexit, and interestingly, 47 per cent with the possibility of recession. It’s a little too late to wish away GDPR among the hubbub of geopolitics. But the clock ticks closer to midnight – and the UK is not ready.
Elliott Haworth is business features writer at City A.M.