We’re now three quarters of the way through the transitioning period from the old Data Protection Act to the new regulations. There are just six months to go until the Information Commissioner’s Office (ICO) starts applying the General Data Protection Regulation (GDPR). But, are we all ready? Well, I think presently the collective answer would be a ‘No, we’re not there yet’.

GDPR concerns

I’ve talked with a lot of people about GDPR over the past few months, and in my experience people are becoming more and more aware of it, but also more and more worried about it. Having taken positive steps to find out what’s involved, there tends to be something of a dawning realisation of the scale of the task in hand to achieve compliance, and most specifically to be able to demonstrate that compliance. The more you learn about it, the more it seems there is to do.

I think these fears are not helped by media reporting of the scariest aspects, but these are usually only a part of the full story of transgressions against which the ICO has taken action, which often get reported less objectively.

I’ve seen that arts organisations are concerned but also keen to use personal information responsibly. But perhaps there is a gap when it comes to fully understanding the proactive steps organisations must now take.

Putting audiences at the centre

I think my reaction was probably similar to that of many others who’ve found themselves (willingly or unwillingly) in the position of having to ‘take care of GDPR for the organisation’. It follows a fairly similar process to the stages of grief, I should imagine – first denial (“surely all that’s not really required?”), anger (“that’s completely ridiculous!”), bargaining (“well, maybe we’ll be OK if we just do xyz?”), depression (“really, I can’t do that? I need some gin”) and finally acceptance (“OK. We have to do this. Everybody has to do this. Let’s do it properly.”)

It’s at this point you can move on towards positive progress, to accept the requirements, and perhaps change the paradigm. Rather than worring about the challenges of complying with GDPR, try seeing it as a positive opportunity to focus on audiences, really putting people in control of their personal information, and letting them be clear about how they want to communicate with us – and for us to be clear about how we want to communicate with them.

Long-term positive effects

Many organisations have expressed concern about the potentially large degree to which their marketing lists might shrink if, upon review, they have to either change their legal basis for contacting individuals (from say, ‘consent’ to ‘legitimate interests’), or else go back to their audiences to get them to re-consent in a way that gives the audience more clarity about the ways their data will be used, (detailing which comms channels might be used, for which uses, and which organisations their data might be shared with). That gives the organisation the audit trail of data required to be able to evidence their compliance. Such list-shrinkage may indeed be a result for some. But this might not be such a bad thing in the end.

While we may end up having smaller mailing lists, they will be built up of people who are very likely to be the most responsive, because on both sides of the conversation we’re very clear about what the conversation should be about, and how it should be conducted. The return on investment from the use of these new lists is likely to be higher – and there’s research around to back this up.