What We Learned About GDPR

By Gordon Smith

Going through GDPR for ourselves and our customers was an eye-opening experience. Apart from the technical implementation aspects, here are some general learnings - some of which really surprised us.

Not all businesses care as much as others about compliance

Some of our clients spent weeks and months preparing for GDPR. They appointed a GDPR officer, audited their data stores, reconsented their mailing lists, updated their privacy policies and more, several months in advance. Many spent thousands of pounds on legal fees.

Other companies are still only now waking up to the fact that there are new compliance regulations. Some companies care deeply, others ... not so much.

The ICO has really let us down

We are not down on the ICO - like about 75% of IT professionals¹, we support the aims of data protection. Over the years our experience of working with ICO has been nothing by positive.

But the rollout of GDPR was in our view, not good. There are very few concrete examples of good and bad practice for businesses to follow, and everybody expects that the details will only become clear when the ICO starts enforcing GDPR through litigation. But this was mainly because the legislation is incredibly vague.

Over the last two years the ICO has published many guides and myth-busting blog articles. Despite this, some businesses have genuinely not known about the new legislation.

The ICO has allowed the information to percolate out via the media rather than contacting organisations with clear information.

Businesses are incredibly confused

They are still asking questions like:

"Do I need a tickbox on my contact form?" (probably not)

"Do I need to trash my email contact list?" (hmm, depends, maybe, possibly not all of it)

"Do I need a cookie banner on my website?" (probably, possibly not if cookies don't store Personally Identifiable Information)

"Can I email somebody at a business?" (probably, but the rules around B2B marketing are even less well understood than those around B2C)

One outcome of this is that an astonishing 45% of UK businesses are setting money aside for expected GDPR enforcement fines². In fact the one thing that the ICO has made very clear is the potential for fines of up to 4% of annual turnover or £20m for non-compliance.

Many businesses feel that there is a high risk of fines for failing to comply with legislation that is poorly understood.

There is particular confusion about the allowed purposes for storing data

Many small business owners have focussed all their attention on the basis of "consent". Especially with regard to email lists. The lack of consent has caused thousands of email lists to be needlessly trashed.

But there are actually six bases on which data can be lawfully processed.

One of these is "legitimate interests". The law defines this as "the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests."

This is a very wide-ranging and vague definition but many businesses are interpreting it to mean that they can continue to contact their customers because they have a current business relationship with them.

At Dotwise, we chose to use legitimate interests as the basis on which to keep our email list. We are fundamentally a knowledge-sharing business and this relies on being able to share knowledge with our customers through email.

We would, of course, respect the wishes of any customer who didn't want to hear from us but we have not regained their consent.

Lawyers are coining it in

A whole new army of GDPR "experts" has emerged. Charging high fees and giving contradictory advice to clients.

Data is everywhere

One thing we found during the process is that almost all businesses (including ourselves) have many, many data stores - on-site, in the cloud, on disks down the backs of sofas and in the Directors' garden sheds. Compiling a list of all the data stores was a useful exercise. GDPR task list GDPR is not a box-ticking exercise.

Some businesses regard compliance as a tick-box exercise

GDPR should not be a box-ticking process. GDPR forces businesses to really think hard about the data they are storing - where and why it's stored and when it should be deleted.

This a good exercise which will benefit us all.

Online service providers have been stunningly slow in rolling out compliant products

From Facebook to AdRoll and the many Google products that rely on personal data, such as AdWords, Analytics, AdSense, Data Studio and many others - companies have been staggeringly slow to bring out GDPR compatible versions of their products.

Many of these services only brought out new products in the last few days and weeks before the 25th of May, leaving no time for marketing agencies to implement solutions. It has shaken some business models to the core - especially retargeting and remarketing businesses.

Nobody really knows anything

There are no clear, straightforward answers on GDPR! The ICO is not helping - but that's because the legislation is vague. It is, sadly, a minefield, and until the ICO start enforcing GDPR nobody will really know the limits and parameters of compliance.


  1. https://community.spiceworks.com/blog/3023-most-will-miss-gdpr-deadline-uk-most-prepared-us-and-rest-of-eu-lag-behind
  2. http://www.thedrum.com/news/2018/05/01/almost-half-uk-marketers-are-setting-money-aside-gdpr-fines-amid-pre-deadline