GDPR: Whatever You Do, Don’t Mention the Law

Sick to the back teeth of GDPR? You ain’t seen nothing yet. Expect much more of this bland and unappetising diet as the days tick down to whenever in May 2018 this blasted piece of EU legislation is due to become law.

Channel partners are finding it tedious enough, but spare a thought for your customers who the entire IT industry has been lambasting about GDPR for at least the last 12 months. GDPR talk is everywhere, fatigue is setting in and business leaders are finding it a major turnoff.

That’s a shame because GDPR is a good opportunity for organisations to get a better governance and cyber security regime around their communications and data processes, and it’s a potentially fruitful money-spinner for trusted advisors who know what advice to give too. But therein lies the rub. No-one wants to hear another pitch about how the sky is going to cave in if they don’t do anything about GDPR, or how buying such-and-such a product will ‘help them move towards’ becoming GDPR compliant.

The big question is, how do you get the message across to customers and do the right thing by them, without coming over as selling fear, uncertainty and doubt?

The truth is that GDPR will end up changing little in the life of ordinary businesses, and you’d be a charlatan to suggest otherwise. Let me give you three reasons why.

Strength in numbers

There are about 5.5m businesses incorporated in the UK, and all of them handling data on EU citizens (including UK staff and customers) will be liable to the full force of the new law. None of them want the disruption of a prosecution under GDPR, or the damage to their reputation.

However, if you believe some of the surveys being bandied around lately, apparently hardly anyone in Britain is GDPR compliant yet; millions either haven’t got their acts together or haven’t got the foggiest ideas what the law requires. But let me assure you, there is absolutely no way that the combined machinery of the ICO, the police and the judiciary can possibly cope with a body of this size. Hence GDPR will become like speeding on the motorway; people will get caught (and so they should) but most people will carry on doing 75-80mph from time to time, with relative impunity.

No political will

Contravening GDPR is hardly murder or child abuse. It will be just another white-collar crime; dodged and obfuscated by those who can afford to. It isn’t even a morally repugnant white-collar crime like tax evasion. Add to this the fact that GDPR is an EU law, and the EU isn’t exactly a popular institution right now, tightening the thumb screws on giving Britain the crummiest deal possible in Brexit negotiations. No, GDPR is not going to be a top priority for anyone in power. It will be on the statute books, and rightly so, but the political consensus will be that there are bigger fish to fry with the law enforcement resources available.

Legally untested

The most cynical thing about how GDPR has been ‘sold’ to channel partners and enduser organisations is this idea that the law is cut and dry. “Fail to do this or that and you’ll be whacked for 20 million Euros or 4% of your turnover…” This is not how the law works. When new legislation is enacted, it has to be prosecuted in a court of law; a court that will test its efficacy. That’s when everyone else gets to understand what it really means.

The other cynical aspect of GDPR’s positioning is that, as a piece of legislation, it makes perfect sense. Have you actually tried to read it? In terms of what kinds of solutions and processes would constitute a legally-compliant posture, it is utterly vague on every count. Nobody knows whether Product A or Product B will stand up as a compliant solution, because it isn’t written anywhere in the legislation and it hasn’t been tested.

I honestly believe that GDPR is a force for good and that businesses should be trying to interpret the legalisation as a framework to strengthen their cyber security and data governance. I also acknowledge that failing to act is no strategy and no defence against a criminal charge. But resellers need to stop trying to cash in on this bandwagon and, instead, take a far more honest approach around GDPR or they risk being cast as cry-wolf drama queens among existing and prospective customers; hype-peddlers who didn’t tell it straight when they had the chance. Face up to the truth about GDPR and your customers will thank you for it.

Guest Blog by Comtec