A contact of mine, Jason Cobine, recently had 30th anniversary for his broking insurance so he knows a fair amount about managing risk.

He has also built two companies from scratch (the first with the help of 3 partners) the second without any “distractions” as he puts it.

He developed a unique, branded method of developing leads that breaks some of the rules, yet tends to get better results than traditional methods.

He is uniquely placed to discuss why you are extremely unlikely to get fined for GDPR issues and why you should not stop sending messages to the right people.

The seminars he delivered last year received great feedback and his webinar about “Culture will kill your business (data)” is still doing the rounds. Here is his guest post:

GDPR policies are not an antidote

During last years feeding frenzy, it felt like everyone that needed new clients found a way to make their offering sound like the antidote to GDPR. A year later, we know there is no antidote. We’re all in it together. However, a lot of companies now have GDPR compliant “policies” that a few people will read, with even fewer understanding them, plus procedures that people cannot be bothered to follow.

So what has actually changed? I receive the same number of spam emails yet only a few of them aren’t compliant. When I have enquired where they got my email address from or tell them to take me off their list I receive the same response back from totally different entities. It shows they have an incorrect understanding of the regulations. They think they do get it, yet they rarely do, and the false sense of security is more dangerous for them than anyone else.

Who threw the baby out with the bath water?

At one end of the scale, I am aware of charities that do not email their supporters any more, some have even disposed of the contact details of their supporters. They threw the baby out with the bath water.

At the other, there are companies that will “scrape” an email address off the internet (usually LinkedIn) and email me without any form of permission. When I ask where they got my email address, they lie about that and try and convince me why it is ok for them to spam me. They are being disingenuous at best yet they think I will do business with them at some point. The irony is lost on them.

Why is assessing data risk so fluid?

So what is reasonable? It depends from company to company and that is exactly the problem. Businesses rarely want to spend time preparing for the worst. They would rather not think about it. I’ve seen the same happening with health & safety. People don’t think their business is unhealthy or unsafe so they stay in blissfull ignorance. They will even copy the health & policy of another business, when asked for one. I expect a lot of businesses have ended up with lookalike GDPR policies.

There cannot be one size fits all. I have discussed this subject with 400 business owners or company directors in the last 12 months. No two did the same things with the information they receive from their clients or prospects. So the lookalike policies are unlikely to help them. Even 1 hour spent thinking about how to keep data private is going to produce a better result that copying and pasting.

Wrap up: Any business that has a proper go at complying with GDPR is unlikely to be fined. Yet a lot of businesses have put GDPR policies in place with assessing the risk. Others have even bought cyber insurance without assessing the risks.

Top Tip: Cyber risk reduction is not as hard as many people imagine. Take a look at our ten top tips to reduce cyber risks. Enacting them will ensure that you are protected against the vast majority of online threats.