GDPR Fines

Don’t panic about GDPR fines.

Some companies are so risk-averse when it comes to potential GDPR fines and negative exposure that their business could suffer. But there’s no need to be on the defensive if customers’ interests are central to your plans, says Consentric’s J Cromack

The climate of fear that has built up around the new EU General Data Protection Regulation risks diverting businesses from the real point of GDPR. Which is about reaffirming customer relationships – the CRM equivalent of renewing wedding vows. So it’s a shame that concerns about being exposed by privacy activists – and fined by the Information Commissioner’s Office (ICO) – are dominating some companies’ actions.

As GDPR came into force on May 25, some US news web pages were taken down in Europe as a pre-emptive risk-avoidance move. Among the main concerns were the way online cookies track site users’ identities and share these with advertisers. Although GDPR doesn’t address cookies specifically, the Regulation shines a light on related data-privacy issues. In the case of American media owners, decision-makers clearly felt the risk of being exposed for poor practices around consumers’ personal data justified forgoing millions of dollars of advertising revenue.

Certainly there has been speculation about data-privacy victims exercising their rights as challengers catch companies out. Not to mention threats that GDPR penalties will be enforced as the authorities show they mean business. Potential fines for GDPR non-compliance range up to €20 million or 4 per cent of total worldwide annual turnover, whichever is higher.

BUT – and it’s a big but – this early drama will dwindle.

Put the customer first and fear will fade

Bring driven by fear of ‘What if?’, and concerns about the formal consequences of non-compliance, is not the way to go about operating a good GDPR strategy. That’s because this approach puts the company at the centre of any decisions and plans, and not the people who matter: customers.

How do customers benefit from news sites being taken down? Or by big names publicly having their knuckles rapped? It might deter poor data-privacy practices in future, but it adds nothing of value to the customer experience. Not if, in the process of being seen to be GDPR compliant, businesses neglect to do important things – like follow through with their data-privacy promises across every point of contact with consumers.

I became frustrated with my car manufacturer recently for exactly this reason. The company had communicated with me proactively about staying in touch, giving me options to choose from and a chance to indicate my interests. But when, in a follow-up call, I said I would agree to emails but only on certain topics, it couldn’t follow through. It was all or nothing. Also, although I had now amended my permissions through one part of the business, I continued to receive generic marketing emails via another. Probably linked to an old opt-in box I had neglected to uncheck a long time ago.

Although my car supplier appeared to be doing all the right things at the front end, it had failed to execute its promised practices when it came to back-end processes. To me as a customer, this resulted in a disappointing experience. It highlights how easily gaps can appear between intent and reality if businesses don’t start in the right place, and respect and build in people’s privacy and data protection by design and default as set out in the founding principles of GDPR.

Respecting data privacy by design and default

Viewing everything through customers’ eyes helps make sense of a lot of the new and strengthened requirements of GDPR. For example, the data minimisation principle –which is about asking people for only the personal data you actually need for the given purpose. So if you only need to know their rough age group, ask for that instead of their date of birth. This is the kind of approach that online media and content organisations will need to take, to navigate evolving measures to protect customers from their details being shared with unknown advertisers without their knowledge or permission.

When it comes to being transparent with customers about the data you’re asking for, what you’ll do with it and what they will get in return, a good approach is to consider how you might explain this to your grandmother. If what you’re saying sounds a bit complex or creepy, it’s probably because it is.

If you’re genuinely focused on the customer, you can forget about the negativity that has been building around GDPR. It’s your ethos and best efforts that matter. For all the scaremongering about non-compliant organisations being shamed, fined and sued, the ICO has said more than once that it wants to support good intentions more than it wants to punish poor execution. This stance is well supported on its web pages, which contain lots of positive resources to help companies succeed in their GDPR compliance efforts.

So show customers that you respect their data and their associated rights. Taking a consolidated, centralised and operationalised approach to managing GDPR data permissions is a great way to demonstrate that retaining their trust and delivering the best possible experience is your number one priority.