“GDPR deadline” is on 24th May at midnight. Anyone promising GDPR compliance to businesses who start their adaptation process now is likely to be selling them snake oil. But embarking on a serious journey of GDPR compliance is still indispensable – no matter how late one begins it.
During the last year or so, I have been continuously amazed by the imagination of GDPR ‘snake oil’ vendors. We have all been harassed by various ‘tools’ to obtain email consent from your email database of questionable origin (yes – the ICO recently ruled that sending emails to obtain direct marketing consent already constitutes direct marketing, but not as if snake oil vendors ever cared much about empirical evidence). Then we’ve had various ‘GDPR practitioners’ with little understanding of European privacy law (or law in general) proclaiming ‘double opt-in’ as ‘the only way’ to obtain valid GDPR consent.
This type of ‘advice’ neither makes life easier for businesses nor increases privacy standards: while depriving businesses of their right to rely on ‘soft opt-in’ for past purchases based on ePrivacy Directive that will continue to apply after 24th May, a flood of ‘opt-in’ emails hardly complies with the individuals’ ‘right to be left alone’.
It is not going away
Thinking all this would go away as the GDPR deadline approaches would miss the point. Many businesses have not started early enough to be compliant in time. Even businesses who have been preparing for months or even years may find some aspects of GDPR overwhelming considering the complexity of their operations. But as the GDPR panic escalates, the demand for ‘miracle drugs’ increases. And of course, if we cannot be compliant by 25th May, why even bother? Correct?
Not quite. Whereas I refuse to speculate about the ICO and other European data protection authorities taking a holiday right after the GDPR deadline, businesses will have to comply to avoid unwanted consequences, sooner or later. Of course, a decision to embark on the compliance journey at a later stage increases the risk of privacy breaches – and paying fines of up to 4% of the company’s global annual turnover. So if you start now, you are highly unlikely to be able to complete the adaptation before the GDPR deadline. But you must start.
