In the first quarter of next year we will get the full details of exactly what the new EU data law entails. So much of its contents have been revealed that the chances of the unexpected are extremely remote. Apart from anything else, the trilogue that is creating the legislation - the EU Commission, Council and Parliament – have taken so long in getting to where they are now that in order to get close to meeting the timetable for the introduction of the law they do not have time for discussions about anything new.

What is transparently clear in what we do know about the forthcoming law, the General Data Protection Regulation (GDPR), is that it involves a lot of work in order to be compliant with it, and if the new stricter regulations are not met the Information Commissioners Office (ICO) has the power to implement some extremely heavy sanctions.

While the necessary and not unsubstantial work involved in compliance preparation is a big enough challenge there is another problem, and it is a big one. Who is going to provide the training, consultancy and advice needed to help data owners through the required changes?

Never before have marketing departments of every description been responsible for technical change on such a scale, and there are few supporting IT counterparts that have had to meet a task of such equal.

Research from several different authoritative sources highlight the need for training in-house staff, the appointment of new data protection officers, plus brand owners with large and complex marketing data functions will need specialist third party help.

Research by the ICO concludes that training marketing staff in GDPR compliance will cost an estimated £7,600 per person. The investment needed for appointing a data protection officer to manage compliance will be between £50,000 and £75,000 annually. There is no research on fees for specialist consultancy, but the biggest question is where is all the training, the fully briefed and prepared data protection officers, and expert third party specialists going to come from?

At the moment such resources do not exist in anything other than an extremely small scale. There is an enormous gap between provision and need, and currently there is no sign that it can be closed.

In the UK there are perhaps as many as 200 individuals that have the degree of data compliance experience and knowledge of GDPR to be able to provide advice on the subject. Of that number most are committed to full time positions embedded within companies or other organisations. That leaves between 20 and 50 that can provide consultancy support, and the consensus is that the figure is much nearer to the 20 mark than the 50. That could leave as few as 20 consultants to go around 360,000 UK companies, plus charities and other bodies that need to prepare. That is for taking the role of data protection officers, training data protection officers, and providing consultancy. To say the least it is not a happy equation.

So where can data owners get qualified support when there are so few to provide it?

At the moment there is still consultancy available, and it is even possible to obtain free EU data compliance audits, but when the ground swell towards compliance starts, probably in the New Year when details of the law are published, these resources will get swallowed.

The Direct Marketing Association (DMA) will be updating its existing compliance code to include a written guide to GDPR, plus it will conduct seminars as an extension of the regular programme of briefing events that it tours across the UK. The events are authoritative and provide very good value, but this is a drop in the ocean compared to the need, and still leaves the shortfall in the training and consultancy so many data users require.

Normally consultancy on marketing data regulation can be met by data providers as part of their standard remit, but in the case of EU compliance this will not apply because most are unprepared themselves. They will have their hands full in trying to bring their own data up to the new consent standard, the need to create new data protocols and write new software to incorporate the storage of individual consumer opt in forms. It means the chances of them dispatching anyone to assist others is unlikely on anything other than a small scale, and probably for leading clients only.

The fact is that there are no easy solutions to preparing for the new law. The best advice is to get what advice and support is available as soon as possible. The key thing is to undertake as much research as possible. Understand it and then find a consultant to provide assistance before its too late. Later down the line trade bodies will provide information to members, but unless you think you can go it alone by attending seminars and relying on video and written guides the time to act is now.

Outside of their commercial considerations there are those in the consumer data sector that will be working with other compliance and data specialists to try and find solutions to the shortfall in support on GDPR. Hopefully a remedy will be possible, but until then it will be the quickest to prepare that will be in the best and safest position when the new law come into effect.

 

By Dene Walsh, Operations and Compliance Director at Verso Group.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.


comments powered by Disqus