Are you among the 2/3 of organisations not fully complying with GDPR?


A recent survey showed that only 29% of EU organisations have fully implemented all the requirements of the GDPR. With the General Data Protection Regulation having been law since May, this is a bit of a worry.

We look at what the survey says, and how you can make sure you’re not part of the 71%.

A refresher on GDPR and its importance

In case you’ve been under a rock during 2018, a quick rundown. The General Data Protection Regulation came into force on 25 May this year. It affects any organisation that:

  • Possesses or processes data pertaining to an identifiable person
  • Contacts those individuals via email, phone, SMS or mail
  • Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual

It removes the distinction between business and personal data – previously, data used for B2B marketing was not subject to such stringent rules as that used for B2C.

The regulation applies to any EU citizen, no matter where in the world the data is held.

It gives firms a choice of six ‘lawful bases’ under which they can process data. Although many firms focused on ‘consent’ as their lawful basis of choice before the regulation came into force, it’s worth exploring the others in case one of them is more appropriate for your use of data.

Last week, we included the GDPR among the things making the biggest marketing headlines in 2018 – and for good reason. The regulation took up a lot of Marketers’ time and effort this year, with focus also redirected to activity that wasn’t data-dependent, like social media.

Potential fines for non-compliance with the GDPR are up to 4% of annual global turnover or €20 million, whichever is greater, leading some to call the regulation the next PPI scandal.

Only 29% compliant

And yet, according to the new report from IT Governance, less than a third of EU organisations have fully implemented the regulation.

One important element of the legislation is the need to comply with data subject access requests (DSARs). While nearly 60% of the firms surveyed as part of the research said they were aware of the changes here, only 29% said they had plans to adapt their processes to comply with those changes.

Subject Access Requests entitle individuals to the right to find out what personal data is held on them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.

If you don’t manage SARs correctly under GDPR, your firm can be subject to fines.

Resolve to meet GDPR requirements in 2019

If you want to ensure your firm is fully compliant with the requirements of the GDPR, the ICO’s GDPR microsite is a good sources of information and advice.

Our blogs on the launch of the GDPR, on how small businesses can overcome the GDPR challenge and how your marketing may change under GDPR might also be helpful.

Of course, GDPR is just one of many rules faced by marketers, particularly if you’re overseen by the FCA or other industry regulator, but also for unregulated businesses. All firms, for instance, are subject to the new CAP rules on the use of data in marketing which came into force in November.

These evolving rules are just some of the challenges Marketing teams face. Read more about these challenges – and how you can tackle them – in our free whitepaper, The changing role of the financial services Marketing Manager. The whitepaper is available to download here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action