Are GDPR ‘experts’ using scare tactics to oversell?
In the months following the introduction of the General Data Protection Regulation, everyone seems to have become an expert – but do companies actually need to enlist the services of a specialist?
MillerTech operations director Hitesh Sharma says they often don’t – and he should know. A CRM specialist since 1984, the London-based company’s six million members use its system for everything from managing events to qualifications.
Companies found breaching the GDPR legislation could be fined up to €20 million or 4 per cent of its annual global turnover.
“Since GDPR came about everyone’s become an expert,” Sharma told BusinessCloud. “There have been consultancies, law firms and specialists popping up, and people just don’t know if they’re overselling and using scare tactics.
“This might have caused a bit of a ‘wait and see’ approach for those that are a bit more cautious about so-called experts.”
There has been a fivefold increase in the number of self-reported personal data breach notifications in the first full month after the GDPR came into force, the Information Commissioner’s Office has revealed.
Sharma says that for companies dealing with data, their CRM system could hold the key, as their CRM provider becomes a data processor on behalf of them as the data controller.
This means they understand the obligations better and therefore are the best people to advise what approach businesses should take.
“You do still get smaller organisations that take on consultants,” said Sharma. “They will just re-emphasise things that are already in the ICO document anyway, so in that sense they have read it and are aware enough of it to become a specialist in the area.
“However, if you go to the ICO website and read the details you should be able to formulate a reasonable understanding of what’s required and the impact on your organisation.
“Sometimes small businesses don’t have time though, which is why they look for consultants. ICO documents can be grey in terms of interpretation as well.”
For any business worried about navigating data privacy in the new landscape, Sharma says it all comes down to legitimate interest.
“The key thing for a business or not-for-profit is how to communicate or share data with its members and a lot falls under legitimate interest,” he said.
“You can contact them and share information as long as it’s for the main purpose of why they signed up to become a member of that organisation – if you follow those principles you should be fairly safe.”
Going forward, MillerTech will focus on customer engagement in the new landscape.
“Customer engagement will increase as GDPR has made people worried whether they have the right to contact people and how to drive those figures, so we’ll need to help there,” said Sharma.
“There are lots of ways to measure this. You can look at things like analytics and reports to see how engaged members are, and whether they book on to events or like your posts on social media.
“Artificial intelligence is also coming about on a lot of websites as a means of support, so we want to see if it has place in CRMs and how it can help people run business processes, potentially answering client questions.”