25th May 2018 is only 66 working days away and
that doesn’t include the Easter break…or the fact that we all have our day job
to do and yet we need to find the time, resource and guidance to make sure
we’re fully GDPR compliant by midnight on 24th May.
If you’re anything like me, you’ve got an inbox full of
emails from every Tom, Dick and Harry offering to provide GDPR guidance and
support – causing ever more confusion about the credibility of these companies
springing up out of nowhere purporting to take all the pain away.
Although the responsibility for GDPR compliance rests with
the Data Controller, it’s incumbent on us as service partners to work with our
clients to help them put in place the written data processing agreements,
authorisations for their data to be shared with sub-contractors (as no
fulfilment company can possibly handle all element of customer deliveries
without using a delivery partner), ensure we’ve got protocols in place for when
Joe Bloggs the consumer puts in a request for their Right to be Forgotten – and
all the other associated GDPR requirements that need to be in place in less
than 67 working days (and counting!).
I am absolutely in agreement at the need for data to be
controlled and protected, for one thing it’s personal to me and I’d like to
know that companies with whom I need (or choose) to share my data, will respect
it as well as feeling comfortable that my identity won’t be hacked, or that
I’ll be bombarded with emails/DM from companies who have shared my data with
less ethical third parties.
However, working for a Marketing Services company such as
MRM where we’re working for circa 80-100 clients, the introduction of GDPR has
been a massive drain on senior management resource for the last 6 months and
will continue to be the case right through to the summer. The majority of
clients haven’t yet contacted us about GDPR, so we’re working proactively to
contact them – which means conducting detailed reviews of the data we hold and
process on their behalf, compiling data processing agreements and the associated
administration time that is required for this. Our senior management team,
myself included, are meeting weekly to review internal and client progress – as
the last thing we want is to be racing across the finish line – we’d much
prefer to be ahead of the schedule.
But all this work takes time and costs the company money;
it’s not only the outward facing client relationships that need to be managed
through this process – we also have to look inwardly at our supplier roster to
ensure we have documented written protocols in terms of how they will process,
store and delete customer data. And if you think I’m belabouring the point and
having a moan, then you try getting the Royal Mail or Whistl to provide
this information in a format that will satisfy the watchdogs at the Information
Commissioner’s Office (ICO). Because that’s what it’s all about, being able to
evidence that the data you’re processing is with the Data Controller’s
permission….that your subcontractors have also been given permission by the
Data Controller (even though they are contracted to you as the Data
Processor)…and so it goes on.
Then we also have to consider the consumer, who has every
right to put in a request to know exactly what data of theirs is being held.
This causes its own complications as certain data fields need to be held, to
allow customer services functions to be validated – yet other parts of the data
can be argued as to no longer be relevant. And for each client/service
provided, different data fields apply in each scenario. And we’re not even
taking into consideration the mischievous consumer who has a grievance with a
brand that we represent, and the potential time that could be tied up handling
their requests, or the system developments required to control which data fields
are deleted and how.
Looking on a positive note, GDPR requires us all (clients,
service partners, sub-contractors) to improve the clarity of our documentation
and how we communicate with each other, in terms of campaign planning and day
to day requests. Clearly my workload over the next 11 weeks is going to be
significant and the majority of that work needs to be completed by someone in a
senior position due to its complexity – but I’m determined to keep my eyes
firmly on the light at the end of the tunnel and the benefits that we and our
clients will reap in the long term…oh, and the large G&T that I’ve promised
myself, come 5.15pm on Friday 25th May!
Melanie Sheldon, Commercial Director.
If you need more information on anything at all, or you would like to talk about a project you are planning, we would love to listen and have a chat. The team are on hand to answer any questions you might have. Send us a message, request a call back or give us a call at +44 (0)1858 410510