Imagine what would happen if all the speed limits were abolished tomorrow and replaced with new legislation to say that motorists would, in future, be prosecuted for “going too fast”. And then imagine what would happen if the standard scale of speeding fines were to be repealed and replaced with a fine of up to £17 million or the confiscation of one’s car or home or the threat of bankruptcy. Half of all motorists would rise up in rebellion and the other half would be too frightened to drive anywhere anymore.
This sounds fanciful but it is exactly what seems to have happened with the new GDPR regulations. During thirty-seven years in business, I have never before seen legislation that has caused such confusion, fear and blind panic and I am astonished that so little has been written about the subject in the national press.
Everyone agrees that spam emails are a nuisance in the same way that everyone agrees that our roads should be made safer, but the words “sledgehammer to crack a nut” do not begin to describe the GDPR regulations. According to a recent article in The Times, three-quarters of all UK businesses have failed to implement the regulations correctly and many of them still have absolutely no idea what is expected of them.
I have done everything I can to ensure that my own business is compliant but it has been extraordinarily difficult to find credible advice on how to do so. The compliance company that we use for other matters have said that they are not able to offer advice on GDPR because they were unable to obtain PI cover due to the vagueness of the legislation and the absence of any case law. I spoke to another company who were recommended by one of my big clients and they wanted to charge me £8,000 plus VAT for a review of our procedures. When I asked for a summary of what the review would involve, they were not able to provide one.
Many of my other clients have received appalling advice. One major client has over half a million client records on a bespoke CRM database. This is a priceless archive of data which produces several million pounds of business every year via a carefully designed campaign of emails, letters, news articles, invitations to cultural and sporting events and calls from a well trained telesales team. In the run-up to GDPR, they sent everyone three opt-in emails then deleted the records of everyone who did not respond which represented well over 90% of all the people on the database. Redundancies will now almost inevitably follow. This cannot be what the legislation intended and is certainly not in accordance with my understanding of what the new regulations require.
This is not the only example of people overreacting to the legislation. My local garage, which we have used for years, wrote to me to say that unless I replied to their opt-in email, they would no longer be able to send me reminders of when my next service or MOT was due. So as a direct consequence of GDPR, I could forget to book my next service, have my brakes fail and then kill some innocent pedestrian just so that my privacy is not compromised. The garage owner has misunderstood the legislation but he is a mechanic, not a compliance expert, and his confusion and fear is perfectly understandable.
So, what should you do to protect your business from the appalling consequences of this legislation? Well, the most important piece of advice is don’t panic. If as the time suggests 75% of all businesses are currently not GDPR compliant, then the chances of your small estate agency business in a market town in the middle of nowhere being the very first business to be fined £17 million is pretty remote.
The second thing is not to be bullied into spending large sums of money with the companies that have set themselves up as GDPR experts. Most of them are not offering any advice that you cannot find for yourself by spending thirty minutes on Google. Most of the things that you need to do immediately, such as putting a data protection policy onto your website, can be done easily and cheaply without external advice.
Thirdly, apply the test of commonsense to everything you are told. Our usually honest and reliable IT company wrote to me to say that I would (not “may”, but “would”) be fined £17 million if I did not pay them a hugely inflated rate for making minor changes to our website before the deadline. We got the work done elsewhere for less than 10% of what they quoted.
Finally, be patient. Over the coming weeks and months, the legislation will be clarified and case law will be established. Once we know more details of how the legislation is going to be interpreted and enforced, we will all be able to make more rational decisions on how to deal with the legislation without destroying our businesses in the process.
Adam Walker is a business transfer agent and management consultant who has specialised in the property sector for more than twenty-five years.