London, Thursday 30th November, downstairs at the Albany public house, the MRC Connects held one of the more social and informal events.  Mark Beresford, from Edgar, Dunn & Company (EDC), Director, sat on a panel discussion along with Simon Bollans, Senior Associate, Osborne Clarke, Brad Schmidt, General Manager, Emailage and Catherine Moore, President, J.P. Morgan was the moderator, to discuss the topic of GDPR.

The discussion included topics such as, awareness – what did the panel think was the level of understanding in the marketplace regarding the GDPR basics.  Mark was able to refer to the recent hotel survey which EDC had just published.  It was found that only 23% of UK hotels had started their GDPR implications.  The panel felt that people didn’t have a good grip on implications as a data controller vs. a data processor or a vendor’s role and responsibilities. When it came to the panellist’s opinions on how generally aware consumers were – it was said that consumers are only aware of the current situation about data protection (which is now 20 years only) and completely unaware of the Pan-European changes that are due to occur in May 2018.  It was mentioned that there was a close association with PCI DSS compliance and GDPR compliance. Some of the data items overlapped.

The extraterritorial aspect of GDPR was discussed and how widely understood amongst the panellists felt and what advice would they give merchants and solution providers in implementing it.  Hotels were probably one of two businesses that GDPR impacted their global operations.  Vendors and solution providers, i.e. data processors, based outside the EU was another category of companies where GDPR will have major implications if they were handling personal data of EU residents.

Catherine spoke about the fact that there was a great deal in the public domain (surveys/media reporting) about the level of readiness (or lack thereof) that organisations have in order to meet the implementation deadline of May 2018.  Simon and Mark were able to provide a little more context to those reports and describe the biggest challenges to readiness.  Staff training was mentioned, vendor contracts and other down-stream items were also discussed.

One of the key offerings of Emailage is real-time intelligence from email addresses, which is an example of personal data, and Brad was able to describe the challenges they have in relation to GDPR.  It was agreed that companies that are treating GDPR as “just another compliance project” are probably the ones that are falling short in realising the potential to differentiate their offering as a trusted custodian of personal data.  It presented an opportunity to tidy up data held on customers.  The panel described what we had learned over the last year or so in getting ready of this and what could be applied to future projects in terms of approach, resourcing or stakeholder engagement.

The potential introduction of friction created from the “Right to Consent” was an area that the panel talked about especially where businesses were trying to make their online journeys as streamlined as possible to decrease friction in the customer experience, so as not to have drop off.   Mark referenced the recent decision that chain J.D. Wetherspoon had taken to deleted its entire email mailing list to avoid one potential cost of GDPR compliance.  Simon also spoke about where to get more information about GDPR, including the national competent authorities, the EU and the UK’s Information Commissioner’s Office (ICO).

There were a couple of questions from the audience, including one from Spotify, where “data portability” was scrutinized, and the fact that GDPR has a provision for companies to provide data portability, such as a customer’s playlist of songs.  The drinks kept being ordered so Catherine brought the panel to a close.  The evening was proudly sponsored by Emailage.