In our role as journalists, we’ve been deluged with hundreds of pitches for GDPR-related stories, which went into effect last week. It didn’t help matters that on the first day the UK commissioner’s website was down for a couple of hours, an Austrian privacy advocate hit Facebook and Google with billions of euros in lawsuits and the privacy browser plug in Ghostery sent out emails about its change in policy, but inadvertently cc’d 500 user names in each batch of email.
Given all the pitches we’ve had over the last year, we’ve had to be selective about what got our attention, so in this show we discuss what did and didn’t work. Among the items we followed up on was this interview with the former head of compliance for Visa in Europe, who now works for a security vendor. And Imperva put together this interesting infographic (shown here in part) on what the 72-hour compliance deadline really means.
There has been plenty of research on readiness, but the findings were all over the map, which undermined the credibility of many surveys. Paul wrote about an IBM study that showed the positive effects of compliance, a breath of fresh air at a time when most coverage was negative. Then there was this story about how criminals are using GDPR as the basis for phishing attacks, with AirBnB users targeted in particular.
Another pitch from Veritas showed that companies risk going out of business because of the cost of complying with the regulations. And then there was Ponemon’s study last month that gave a comprehensive and credible overview of the issues. Paul wrote another story about how IBM is using Apache Atlas as an organizing framework to help its customers build compliance measures. The interesting angle there was open source.
Among the worst pitches was the company that tried to make the case that GDPR would seriously inhibit the ability of companies to maintain records about their own employees. In fact, the legislation says nothing about that. The company promised to follow up with a reference to the relevant passage in the regulation, but it was never heard from again.
One of the best sources of reliable information is security consultant David Froud. He complained that many companies did nothing, or in the case of few American daily newspapers, even blocked European IP addresses. “Companies can’t even figure out how to communicate to their customer base what are the chances they can perform appropriate risk assessments?” he asked, somewhat incredulously. Froud told his readers not to be a muppet, meaning just doing nothing. After all, they have had two years to prepare.
Paul has actually read the entire GDPR document, which is not overly long, and suggests it should be every marketer’s starting point when pitching GDPR, or any compliance-related story.
We conclude our podcast with some lessons to be learned for future pitches, to ensure that they don’t end up in the trash heap.