The deadline for GDPR compliance is now very near
Monday, April 23, 2018
In just over a month’s time, the greatest change to data protection law – the General Data Protection Regulation (GDPR) – will be upon us and nothing, not even Brexit, is going to stop its implementation or lead to its early repeal.
The EU, UK government and the Information Commissioner’s Office (ICO), have taken great pains to warn British organisations and businesses of the need to make changes.
However, as studies are showing, even now, at this late hour, many firms have done little to meet their new obligations – despite the prompts – and print has not been exempted. As John Noble, director at Pro-Active Business Information, notes: “The sector has had mixed reactions, but many are viewing it as a major hassle, with few being fully prepared – even though most are aware of it.”
And Peter Thomas, managing director of DLRT, part of the Tall Group, thinks along the same lines: “The GDPR has been well flagged. The ICO has done some great work promoting it across the multimedia platforms and via roadshows. No one can use the excuse that they are not aware of it.”
Mike Roberts, managing director of PMG and Chairman of the Independent Print Industries Association, says that the print industry is rightly concerned with the impact of the GDPR and the effect it could have on the ability to contact customers.
However, he says “the industry was relieved that in January 2018 the ICO decreed that marketing can continue to use print and mail without the explicit permissions needed for email, text and telemarketing.
“This was really positive news as it has kept a core channel open to keep in touch with customers and contacts.”
From his perspective, the industry has been worried about legitimate businesses trying to promote themselves “in an already challenging market”.
And it’s a subject that print cannot ignore says Thomas: “Customers are far more expectant of their data processing partners; good corporate governance demands it. I believe that those who are serious about it, at industry level, are taking all the necessary steps. Those who dabble do so at their own cost.”
Following the law is good practice anyway according to Debbie Dowler, quality and compliance director at Tall Security Print, also in the Tall Group. She is pleased that “the rules and regulations laid down within the Data Protection Act 1998 and the obligations we have under ISO 27001 are being added to in this new legislation.” This view explains why the Tall Group sees GDPR as “an extension to the way we have handled secure sensitive data over many years within our accredited facilities”.
But that said, James Kinsella, e-commerce director at Route One Print, considers GDPR a significant change to current legislation and so “it’s not surprising that people are worried.” However, he adds: “When you look at the steps you need to take, they can be quite manageable.”
Compliance with GDPR is an important reflection of the changing nature of business. As Thomas comments: “Personal data and information drives everything we do in today’s world. It oils the wheels of business therefore its use and integrity must be protected.”
Does the new law go too far? He thinks not: “If businesses prepare themselves and act responsibly they have nothing to fear.”
GDPR isn’t all bad
Like many, Roberts supports GDPR and thinks that in the longer term “it should result in vastly improved, targeted marketing – which is better for customers and a company’s marketing budget”. His hope is that mass-volume marketing campaigns are replaced with creative, higher-quality, targeted promotions and he cites August 2017 research from Royal Mail: “Mail In Uncertain Times showed that 87% of people consider mail be believable. The same research found that only 48% of people thought email was believable.”
But the sector cannot afford to be complacent with GDPR and Robert says it’s been the hot topic at industry events for the past 12 months – “with print companies approaching it seriously”.
He adds that there will always be companies that continue to push the boundaries and think that they are above the regulation – “and hopefully the ICO will deal with the offenders appropriately.”
This is a point echoed by Noble: “I think some will change and others will take the risk. However, it will only need the ICO to issue some fines in the print sector to make others fall into line.”
Of course, the whole point of the GDPR is about personal control. For Kinsella GDPR means that “the consumer will have more control over their personal data and a better understanding of why companies are collecting this.” Even so, Roberts strongly advises print companies to proactively contact their customers to get their preferences updated prior to the changes on 25 May – as once the date has passed it will be too late. Noble agrees, saying that “as data subjects we should have a greater say in who uses our data and how they use it. The data protection element is important [in dealing with] a major rise in cybercrime.”
Will GDPR be a hindrance to marketing campaigns? Roberts doesn’t think so. He believes that there is fear in many of the younger marketers who only have extensive experience in digital marketing, “and very little knowledge of print marketing so they are naturally wary”.
But he says GDPR is driving a real shift in strategies as companies will only be able to contact customers electronically who have ‘opted in’, meaning they will have hugely less data to work with unless they use print.
Kinsella, on the other hand, considers that GDPR will make a difference: “Google searches for GDPR have increased by 400% in the last 90 days and our recently produced e-book about GDPR has already been downloaded more than 2,000 times; print businesses are taking this seriously.”
In the long run though, Dowler thinks that GDPR will take time to settle down, but she does see “major storms in teacups” until the new norm is finally delivered. She adds: “Understandably mistakes will continue to be made and rational business-as-usual thinking will need to be applied. I hope the ICO isn’t over run by trivialities. The big picture here is protection of collective data and that individuals count.”
For firms taking a positive approach Roberts thinks GDPR offers “a real opportunity for companies to capitalise with direct mail, using the same data models used for email; sending by post avoids the opt-in nightmare created by GDPR”.
He’s seen (at PMG) a noticeable increase in direct mail enquiries as businesses that had previously either moved away from print, or led with ‘digital’, look for an al- ternative channel to keep in touch with their customers.
And Kinsella thinks the same because while the laws on digital marketing are tightening “there is a more relaxed approach to print marketing” as a result of a ‘legitimate interests’ exemption – it is still lawful to contact people through printed marketing that you haven’t dealt with before but who may be interested in your offering. He adds that “based on this we’re expecting to see a rise in the use of printed media (direct mail, door drops, etc) as a marketing method.”
Indeed, Royal Mail’s own Marketreach research suggests that 86% of people have connected with a company as a result of direct mail and 13% more consumers visited a company’s website when direct mail was part of the mix.
That said, as Roberts notes, “unless your campaign is carefully targeted at a well-defined audience, with a clear message and call to action, you can send as much direct mail as you want, and it won’t make an impact.”
His answer? Invest in clever ideas to ensure highly targeted relevant mail engages with the audience.
But there is one more benefit according to Kinsella: “Becoming GDPR compliant shows your commitment to your customers and their data. It is another opportunity for people to engage with your brand and see you as a trustworthy business who wants to handle data correctly.”
For those in print holding data on others, Kinsella advises “taking an interest in what GDPR means and how it will affect the business.” He says the process should start with reviewing the data kept. “See if you are storing any data unnecessarily, or if you have kept data that you no longer need, and check when the last time this data was cleansed. When you have done this take note of any areas of risk and what actions you need to take and ensure they are completed before 25 May.”
It’s just as important to note that the need to obtain explicit consent means that many businesses are going to have to change the way they opt people into marketing communications. Here Kinsella simply says to “look at your ways of gaining consent and make sure they meet the requirements,” adding, “also look at how you protect any personal data and how you would handle a breach.” To this Dowler adds a rider: “Make sure data is held for a valid reason, that you have consent to hold it, and that it is held in an appropriately secure fashion with the appropriate flags where necessary.”
At the same time, she says printers need to educate their employees on the new rules. “Like all regulations, internal policies and procedures have to be drafted to enable staff to be educated in the dos and don’ts of the requirements surrounding the new GDPR environment.”
In practical terms, and because printers act as data processors, Noble says that they would still need to inform individuals that they process in the guise of a data controller – “and this can be done at the point of data capture for new/future data subjects. A simple email or letter to existing contacts would suffice for the rest.”
To Dowler goes the closing comment. She says “email does not put profit on the bottom line like print does. Who said that direct mail and personalised mailshots were dead in the water?”
It’ll be interesting to see how GDPR rolls out. Time will tell.
Route One Print has created a free eBook, Discover What GDPR can do for your Print Shop, with the legislation broken into easy-to-absorb chunks for printers. It is available for download here: bit.ly/pw-gdpr-ebook.