Nearly half of UK businesses expect to be fined for GDPR non-compliance
Wednesday May 16 2018
Nearly half (45%) of UK businesses have put money aside to cover possible fines for not being GDPR compliant by May 25th, according to new research.
The study, from Ensighten, investigated UK marketers’ attitudes to data governance.
It found that 61 per cent of respondents would apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time. Brands need to navigate new consumer rights in a post-GDPR world and it’s clear at present that they’re not ready yet.
Prepared to be under prepared at best
Just 26 per cent of UK marketers state that they are “very confident” that their data governance procedures are robust enough to be deemed compliant. The majority of businesses are doubtful they’ll be compliant on time and to the right standard, and nearly one in ten (7%) admit to not having implemented any GDPR-related actions yet.
For those marketers that are underway with their GDPR preparations, 63 per cent state they have new policies in place to increase the quality of data they will receive after 25th May. However most businesses are not thinking holistically and exposing themselves to risk. Fewer than half (47%) of marketers are enforcing new policies on partner data acquisition which may leave them exposed to GDPR non-compliance.
Ian Woolley, Chief Revenue Officer, at Ensighten commented: “Unfortunately we found that brands are aware, but still uncertain in their final month of GDPR preparation. The research shows that 45 per cent of UK businesses have set money aside in anticipation of regulatory fines. The good news is that brands still have time to deploy and optimise customer privacy and consent options on their websites.”
A new regulatory environment requires leadership and education
One of the reasons for the apparent lack of GDPR preparedness may be due to accountability. The research found that there is not consensus among businesses regarding who should be in charge of GDPR overall. According to respondents it was the CEO (32 per cent), the Chief Data Officer (26%) and the Chief Marketing Officer (22%). A mere 14 per cent cited the Data Protection Officer as the risk manager – yet this is a GDPR mandated position where organisers perform regular and systematic processing of data subjects on a large scale – and of these nearly a third (27%) had not filled this mandatory role.
The GDPR introduces consumer data consent requirements that gives new power to consumers. If consumers do not explicitly opt-in to share their personal data, it could have meaningful impact to businesses. However, the study shows that only 13 percent of marketers will provide greater education on data rights and responsibilities to consumers within their marketing communications. Moreover, only one in ten (9%) marketers said that they would be using more frequent customer contact to educate or to request permissions of users. The insights suggest that while marketers are working to become GDPR compliant they are not educating their customers on why they need their data.
“Educating consumers on how their personal data is used and why their permission is needed is essential to building consumer trust and gaining their opt-in consent. GDPR is not just a legal hurdle to jump. Whilst brands are putting money aside for fines, they should not underestimate the damage to their reputation and business from not educating customers now,” continued Woolley.
GDPR will increase data quality
The study shows that only 11 per cent of respondents believe they make full use of corporate data. Marketers claim their department was the leader in making profitable use of corporate data, at 35 per cent, with sales (17%) and Finance (15%).
The research goes on to highlight that 69 per cent of marketers state that GDPR will enhance the accuracy and consistency of their data, signifying that there is a belief in a light at the end of the preparation tunnel. But just 30 per cent of marketers are considering setting new metrics in a post-GDPR world. This disconnect may mean that marketers miss KPIs by not planning in advance and managing business expectations in customer acquisition, engagement and consent for the services that may have previously not required explicit consent under the old rules.