After 25th May 2018, “proportionate and dissuasive” fines of up to 4% of the annual global sales revenue can be imposed for violations of EU data protection law. The new EU General Data Privacy Regulation became law on 25th May 2016. So – in theory – at time of writing (early June 2017), internal projects to comply with the law should already be half complete.
In practice however a survey of EU companies shows that *
• 10% say they have already implemented GDPR
• 40% are “currently implementing”
• 25% are still in the “planning stage”
25% of companies have not yet started on GDPR compliance **
This is rather worrying. Marketing Directors continue to bear direct responsibility for the collection and processing of personal customer data in their companies, just as they did under the earlier Privacy Directive 95/46/EC.
So what has been added in the new law? First and foremost: accountability. Marketing directors must not only ensure that their processes are legal. From 25th May 2018 onwards, they have to prove that their processes and activities are documented; they must provide evidence to the authorities on request.
For many companies, this obligation to document the processing of customers’ personal data will generate an additional workload. If the scope of the extra work has not yet been defined, late starters may face a problem because the GDPR is wider in geographic scope and deeper in technical reach than the earlier law.
The simple fact is, most Marketing Directors already have their hands full with other priorities. But this will not extend the deadline. And in the same way, the fact that data protection officers are already overloaded with compliance issues within HR processes or IT systems isn’t going to reduce the obligation either.
Don’t wait for the Data Privacy Officer to call you. They won’t.
An overloaded DPO is not a justification for non-compliance – the Marketing Director will still be responsible for privacy and be held accountable.
So what can Marketing Directors do?
Marketing departments need to take the initiative on this issue – and move quickly. One approach is to make full use of the expertise in-house and across departments. They’ll need to enlist people who
- understand the digital online systems that enable one-to-one marketing;
- have a working knowledge of the latest legislation, and the requirements for compliance;
- can also function as a technical or professional interpreters between marketing and IT, the legal department or the data protection officer.
Once initiated by the Marketig Director, the project has to be under the guidance of the DPO, with regular reporting to the Marketing Director.
There are less than 210 working days to Compliance
Given the rapidly shrinking timeline it may well be a good idea for Marketing Directors to find suitable external experts who can reinforce their team – and start work as soon as possible. Given the horrendous fines that can be imposed for non-compliance, the additional resource may turn out to be a very sensible insurance policy.
* “DSGVO: So weit sind die Unternehmen mit der Umsetzung” (16. Mai 2017)
Article by Editor Markus Singer | https://www.haufe.de/marketing-vertrieb/online-marketing/dsgvo-so-weit-sind-die-unternehmen-mit-der-umsetzung_132_412258.html
** Results of a survey by Artegic AG, Bonn (page 17) | Survey available as a Download via this form: https://www.artegic.com/de/studie-datenschutzgrundverordnung/