26/02/2018 | The real cost of GDPR

What's the real cost of GDPR?

25th May 2018 is only 66 working days away and that doesn’t include the Easter break…or the fact that we all have our day job to do and yet we need to find the time, resource and guidance to make sure we’re fully GDPR compliant by midnight on 24th May.

If you’re anything like me, you’ve got an inbox full of emails from every Tom, Dick and Harry offering to provide GDPR guidance and support – causing ever more confusion about the credibility of these companies springing up out of nowhere purporting to take all the pain away.

Although the responsibility for GDPR compliance rests with the Data Controller, it’s incumbent on us as service partners to work with our clients to help them put in place the written data processing agreements, authorisations for their data to be shared with sub-contractors (as no fulfilment company can possibly handle all element of customer deliveries without using a delivery partner), ensure we’ve got protocols in place for when Joe Bloggs the consumer puts in a request for their Right to be Forgotten – and all the other associated GDPR requirements that need to be in place in less than 67 working days (and counting!).

I am absolutely in agreement at the need for data to be controlled and protected, for one thing it’s personal to me and I’d like to know that companies with whom I need (or choose) to share my data, will respect it as well as feeling comfortable that my identity won’t be hacked, or that I’ll be bombarded with emails/DM from companies who have shared my data with less ethical third parties.

However, working for a Marketing Services company such as MRM where we’re working for circa 80-100 clients, the introduction of GDPR has been a massive drain on senior management resource for the last 6 months and will continue to be the case right through to the summer. The majority of clients haven’t yet contacted us about GDPR, so we’re working proactively to contact them – which means conducting detailed reviews of the data we hold and process on their behalf, compiling data processing agreements and the associated administration time that is required for this. Our senior management team, myself included, are meeting weekly to review internal and client progress – as the last thing we want is to be racing across the finish line – we’d much prefer to be ahead of the schedule.

But all this work takes time and costs the company money; it’s not only the outward facing client relationships that need to be managed through this process – we also have to look inwardly at our supplier roster to ensure we have documented written protocols in terms of how they will process, store and delete customer data. And if you think I’m belabouring the point and having a moan, then you try getting the Royal Mail or Whistl to provide this information in a format that will satisfy the watchdogs at the Information Commissioner’s Office (ICO). Because that’s what it’s all about, being able to evidence that the data you’re processing is with the Data Controller’s permission….that your subcontractors have also been given permission by the Data Controller (even though they are contracted to you as the Data Processor)…and so it goes on.

Then we also have to consider the consumer, who has every right to put in a request to know exactly what data of theirs is being held. This causes its own complications as certain data fields need to be held, to allow customer services functions to be validated – yet other parts of the data can be argued as to no longer be relevant. And for each client/service provided, different data fields apply in each scenario. And we’re not even taking into consideration the mischievous consumer who has a grievance with a brand that we represent, and the potential time that could be tied up handling their requests, or the system developments required to control which data fields are deleted and how.

Looking on a positive note, GDPR requires us all (clients, service partners, sub-contractors) to improve the clarity of our documentation and how we communicate with each other, in terms of campaign planning and day to day requests. Clearly my workload over the next 11 weeks is going to be significant and the majority of that work needs to be completed by someone in a senior position due to its complexity – but I’m determined to keep my eyes firmly on the light at the end of the tunnel and the benefits that we and our clients will reap in the long term…oh, and the large G&T that I’ve promised myself, come 5.15pm on Friday 25th May!

Melanie Sheldon, Commercial Director.