The 7 stages of GDPR grief

Remember Y2K and the horror that hit the tech community when January 1, 2000 was approaching and everyone realized their 2-digit year data fields would revert to 1900? There was a mad scramble to update all systems in time. Well, May 25, 2018 represents another date of horror for the tech community. All of the systems we’ve built around handling personal data will need to be re-engineered to handle the new General Data Protection Regulation (GDPR) rules that go into effect that day. That’s a lot to accomplish, with very little time left.

While the eve of the GDPR deadline may not start parties like we had back on New Year’s Eve 1999 — when people counted down to “the end of the world” — stakeholders in organizations across the globe will be experiencing a range of emotions as they make their way through the seven stages of GDPR grief at varying speeds.

Like Y2K, May 25 could come and go without repercussion if people work behind the scenes to make their organizations compliant. Unfortunately, most companies are in the earliest stage of grief – denial – believing that GDPR does not apply to them (if they even know what it is). Denial rarely serves companies well. And in the case of GDPR non-compliance, it could cost them fines of up to 20 million euros ($24 million) or four percent of global annual turnover, whichever value is greater.

Luckily, there are sure-tell signs for each grief stage and advice to help individuals and their employers move through each (and fast):

1. Shock and denial

If marketers close their eyes, GDPR enforcers can still see them, but companies in the shock-and-denial stage are being coy with GDPR. They are ignoring it, actively dismissing it, or even claiming they are unaware of the legislation.

This is the most dangerous stage, as it indicates no movement toward compliance, so company stakeholders need to educate themselves about GDPR, understand their responsibilities, and put processes in place to comply with consumers’ data requests and their right to be forgotten as well as other requirements.

2. Pain and guilt

Organizations know the pain-and-guilt stage is affecting them if they are seeing GDPR as an unnecessary hassle on businesses. Pain-and-guilt dwellers are aware of GDPR but are hoping it goes away on its own. Word to the wise: It won’t.

GDPR is a multi-year effort to modernize and unify privacy laws to give consumers control over the data many organizations have collected without oversight, permission, and security for decades. Since the May deadline marks the end of a two-year post-adoption grace period (and several years of preparation before that), enforcement agencies will be ready to enforce from day one and no amount of internal pain and guilt within an organization will mitigate external penalties.

3. Anger and bargaining

In this stage, conversations are starting to happen internally about bare-minimum effort. What if we just did this? Would it make us compliant? Those in the bargaining stage of GDPR grief are looking for the minimum they can get away with, like addressing server location but nothing else. GDPR does take a tiered approach to fines (e.g., a company can be fined two percent for not having their records in order), but disregard to any areas of compliance will result in continued trouble for a company.

4. Depression, reflection, and loneliness

Stakeholders have reached the fourth stage when they know they need to do something to become GDPR compliant but do not fully understand what is required of them and where to turn for guidance. There is also likely a person or two within the company whose loneliness has set in as they try to make their colleagues aware of GDPR but are unsuccessful at helping them understand the magnitude of the legislation. These advocates of GDPR compliance may find themselves in countries outside of the EU where awareness is low and action is dismal. To help, these advocates should share with their teams that GDPR makes applicability very clear: “it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.”

In other words, if a company in the U.S., UK, China, Japan, or any other economy that is collecting and leveraging data on EU citizens, they must be compliant with GDPR for those EU consumers.

5. Upward turn

Here, companies start to see progress since they have found the answers they are looking for but still have a murky path to compliance. They have visited eugdpr.org often, they have read all the industry blogs, and they have consulted those they do business with, but they still need to figure out actual steps toward compliance. This fifth stage is where many EU companies likely find themselves, as awareness is higher in these countries but action is still so-so. Rather than expecting to be fully compliant by May 25, 2018, for instance, 62 percent of surveyed companies are opting for a risk-based defensible position.

6. Reconstruction and working through

In the second-to-last stage of GDPR grief, companies have their processes defined and are on offense (versus defense) when it comes to compliance. If required, for example, they have appointed a data protection officer (DPO) and are ready for the impending deadlines. Even in this stage, however, organizations may have lack of ownership over programs and inconsistencies in programs, but they are further ahead than most.

7. Acceptance and hope

According to Deloitte, 61 percent of companies see further benefits of remediation activities beyond compliance, which supports the view that GDPR offers the ideal opportunity to view privacy as a business enabler. In this final stage of GDPR grief, companies have realized that a greater level of transparency between company and consumer will lead to a greater level of opt-in from those truly interested in a brand’s offerings and messaging. In this stage, companies are not afraid of empowered consumers; instead, they welcome the chance to speak to them through expressed – versus implied – intent.

The deadline for GDPR compliance is fast approaching, and it’s very likely that, in the early days of enforcement, large enterprises engaging in annoying and ruthless data marketing will be made an example of. Since individuals will have a clear and easy way to file a complaint, however, every organization needs to heed GDPR warnings and move through these grief stages quickly. It is the responsibility of employees, employers, and the businesses they work with to get on board with GDPR – like it’s 1999.

Chris Purcell is a Product Marketer for Episerver. He’s on a mission to help businesses stop playing around with digital transformation and see real tangible ROI.