Impact of GDPR

Yes, of course. Even we as a small organisation have received the first request for information under Art. 10 GDPR. Interestingly, from an e-mail address that was actually not in our system and according to all our records was never there. It may be that the person has used other contact details than those given to us in the inquiry - but this cannot be traced. What follows? An irrational effort for a small organization to answer the request legally correct.

This just shows how irrational GDPR is

Because of the inquiry itself, the person's data is stored on our mail server - of course, he/she has requested it by e-mail. Even the very friendly lady at the data protection authority could not tell me whether we had to include this data in the reply to the inquiry. For example, whether we have to indicate that our mail server is operated by Microsoft, a company that signed up for the EU-US Privacy Shield. This just shows how irrational things are. It would mean that a so called negative answer, saying that we never processed data, in fact does not exist. Only if the person inquires personally or by telephone. And even then you should answer in a written way which again produces data.

Any person from Europe may make inquiries to companies, whether or not data has ever been processed. You are obliged to reply within one month. This lack of limitation and that the inquiring person does not need an explanation will overwhelm companies with inquiries.

It is an insane bureaucratic effort for a tiny organization

We have invested in GDPR for months and thus had less time for our daily business. I am not claiming that we are doing everything right - because in my view that is actually impossible.

Beeing 100% compliant is impossible, and those who claim they are, don't understand GDPR or do just claim it for the sake of safety.

There are far too many grey areas in this whole thing and you as company have the burden of proof. If someone wants to find something, they will.

But we really invested lots of time to become compliant and I think we did good. We also produced lots of documentation. Now I have seen competitors who have actually done nothing at all. They now have a significant competitive advantage, if only because of the unspent time.

Thanks contacts and friends, all of you reacted very positively.

We had the one or other friendly unsubscription or data deletion because of shifted interests due to new job roles. As I said, we had only one formal request for information according to Art. 10 and I hope that this will remain so, because you can simply contact us at any time, change your preferences and of course we also gladly give informal answers. However, if someone wants the formal procedure, we have to do it, thanks to bureaucrats who decided this.

"Every unfounded formal request for information under Art. 10 and the request to receive the data in a machine-readable format takes time away to really take care of your customers. Especially if you're a small organization that can't afford to deal with such requests full-time."

The good things of GDPR

Don't get me wrong. I'm a fan of data privacy.

My February-born son has no Facebook traces yet, I advised his grandmother not to post anything like she usually does and told her that WhatsApp is no better. 

Sharon O'Dea clearly went one step ahead by waiting for an opt-in email from her mother.

But back to the real GDPR benefits. By dealing with GDPR I was truly shocked at how many advertising tracking cookies are placed by the big players, often in the name of the website owner who has no idea of it. For website owners almost impossible to solve. Not because of regulation, but because of the lack of understanding of the major vendors. It is great if these things are resolved by new rules.

The involved data cleanup is also a good thing. As well as the mindshift for marketing managers from big data to data we really need. Or as Tim Walters put it: from Big Data to Beg Data.

The big picture

Of course, the handling of personal data must be taken seriously. In particular, if conclusions are drawn by profiling or other technologies, if data is processed which could damage the reputation of the person or if sensitive data such as iris scans, fingerprints and health records are involved. But it must also be possible in future to carry out direct marketing, especially for small companies. For some, GDPR almost comes close to a professional ban. And that can't be the goal. Currently it does not feel as a competitative advantage beeing compliant.

And what the makers of this regulation do not seem to have understood is: it harms SMEs throughout Europe. They fear to send e-mails in the future and have to pay more money to the big providers like Google, LinkedIn and Facebook for advertising instead. Those big players naturally get the consensus of the users because of their market power. Even if they violate GDPR somewhere, they have thousands of lawyers defending against accusations. And if they lose, they'll pay a few million Dollars from the petty cash. This is easily outweighed by the hundreds of millions, probably billions, of Euros that the EU has actually unintentionally but graciously given to these large companies through GDPR-related additional revenues in advertising. And we all know where those corporations pay taxes.

Many things of GDPR are great. But the bureaucratic hurdles for SMEs are a problem. And there must be a way to safely do digital direct marketing in future as well. Especially start-ups and SMEs can't afford just to rely on the big players for marketing as GDPR unintentionally forces them to do.

What are your thoughts?

***

Advatera - empowering you through knowledge sharing. We facilitate knowledge sharing meetings for digital, marketing and comms managers and organize a yearly conference, the Digital Leadership Forum in Vienna.