Many European governments are failing to raise awareness of colossal changes impacting business on data privacy. And regrettably it’s a reflection of their lack of customer-centric digital strategy.    

They seem glued to the past of bureaucratic online silos or possibly worse, have tossed aside customer focus to instead muddle into a malaise.

This analysis highlights what to avoid so your government doesn’t repeat the same mistakes of poorly executed digital government strategy.  

Why businesses need to know about GDPR (General Data Protection Regulation)     

So what has created all the fuss?

Businesses in the European Union member states have until 25 May 2018 to comply with new regulations that better protect the information and privacy of individuals. This is no surprise as it was passed by the European Parliament two years ago.

But awareness levels, particularly among small business is very low despite efforts by the media to highlight its impact. A major issue when businesses can be fined up to £18 million or 4% of global annual turnover if they incorrectly use an individual’s data.

Under GDPR companies can’t collect and use personal information without the individual’s consent. An individual can also demand a copy of all their data held by the company which must be provided in 30 days. Plus they can request a formal “right to be forgotten”, forcing companies to totally remove all records about the individual. On top of this, companies must report data breaches including hackings to government within 72 hours.

British businesses can’t bury their head in the sand, thinking this will go away once Brexit happens. Like all European regulations the UK Government is transitioning them all to British law.

What’s the problem?

Awareness and preparedness of the new regulations among UK businesses is shocking. The UK Government’s own commissioned survey from January found only 38% had even heard about the new regulations. It is only when you get to medium and large businesses (50+ employees) do awareness rates reach 66% and 80% respectively. If that isn’t worrying enough, the UK peak body the Federation of Small Businesses recently found 90% of small businesses were not prepared for GDPR.  

I am not surprised at these frightening results. Put simply the experience for businesses in trying to find this information is horrendous. Thank heavens for Google as that’s the only way a business is ever going to find GDPR compliance information.

And frankly, the UK Government's approach of shrugging its shoulders and saying, “It’s ok, Google will fix our laziness,” is unacceptable.

So what happens if you’re in the UK and use Google.co.uk searching for GDPR?

The customer’s experience

Put on your customer hat and imagine you’re a small business in the UK who’s read in the newspapers about GDPR. You’re worried that there’s two months to go and you don’t know the first thing about complying and aren’t keen on a fine.

Like the millions of other businesses located in the EU’s borders you do what you normally do when you need help with a problem. You turn to Google.

I reviewed recent keyword searches in Google’s Adwords Keyword Planner. By far the most frequently used search term in the UK relating to the regulation is “GDPR.”

So searching for that brought up what appears at face value three respectable results:

GDPR UK Google

Let’s assume our customer does what most people do when using Google, they begin by scanning the number one organic result, looking for trust factors. Doing this you'd likely to look favourably at EU GDPR as it has:

  • An official sounding title with "Home Page of EU GDPR”
  • Its secure HTTPS domain https://www.eugdpr.org also sounds legitimate. Its a reasonable assumption that most people would expect a .org top level domain can only be registered and owned by a reputable entity
  • The description of the site is equally rich in trust markers by mentioning it is an “education resource”, spells out the regulation name in full, references the European Parliament and includes an approval date and an “enforcement date.”

Sounds a lot like a European Union website. But it isn’t. It’s a “front” website put together by a private business upselling products and services to businesses grappling with the challenge of meeting GDPR compliance.

They keep the smoke and mirrors going in both their design and strangely bureaucratic speak throughout the site:

EU GDPR homepage

It screams that is some kind of official site. But it isn’t. It isn’t until you visit its “Partner” section that it hands you over to the company who clearly manage EU GDPR, despite them masking their domain registration details:

WHOIS for EUGDPR.org

So if you’re a business looking for official information about complying with GDPR, chances are you’re going to down Trunomi’s sales funnel.

Now let me make this very clear; what Trunomi is doing with EU GDPR is 100% perfectly legal. But it’s not the way I personally think business should be run.

Let’s assume for a moment that you’re a smart business owner and work out the EU GDPR/Trunomi connection. You click the back button a few times and end up back at Google’s results list. You’re a little unsure about your next step realising that .ORG domains can just as easily be used as a corporate mask. Your eye scans the list of the top 10 results looking for a trustworthy indicator: a .GOV domain.  And what do you find?

Nothing.

The only quasi-government body, the UK’s Information Commissioner’s Office has decided to go also with a .ORG domain. In many governments the role of an information commissioner or privacy commissioner is usually placed in a semi-autonomous body at arm’s length from government, but close enough to government to give it credibility. That normally means a .GOV domain.

Not only does a .GOV domain give a business customer confidence that they’re accessing information from an authoritative and impartial source. It sends the same strong message to Google, substantially increasing its search engine rank position. Which is why government organizations are literally insane if they put in place anything but a .GOV domain.

Fortunately if any UK businesses do visit the Information Commissioner’s GDPR page they actually can find some useful advice. So from that perspective, good job.

GDPR guide on ICO

When domain strategy fails

The problem has an additional dimension. The UK’s initially strong, but then highly fragmented approach to domain strategy.

Six years ago the UK Government consolidated the citizen portal DirectGov and business portal BusinessLink into a single domain: GOV.UK. This strategy failed dismally for business customers and has been compounded by the subsequent “regrowth” of a multitude of business customer sites.

What this all means is if you are a business owner wanting information about GDPR and instead turn to .GOV.UK or even GreatBusiness.gov.uk you are going to luck out. Badly.

Searching for GDPR on Great Business finds literally not a single result.

GreatBusiness Search Results GDPR

.GOV.UK isn’t much better. Its search results find a consultation paper from August 2017 about GDPR and then pretty much everything after that is rubbish. Think maybe navigating around the information architecture will solve your problem?

You know what the answer is going to be. Again, no joy.

What is worse is how the Business section of .GOV.UK has now just turned into a collection of jumbled links. Sure a page on data protection links to the Information Commissioner, but there’s no advice or context about GDPR or even regulations more generally.

I do find it amazing how quickly the best global example of Government to Business digital services has turned into an experience that would be lucky to be in the Top 100.

The business customer experience in Europe

At this point, I was thinking it would be useful to see how much better the UK’s main European partners - Germany, France, Italy and Spain - would fare.  I was expecting great things. But was blown away with how badly they appear to be doing too. But spolier alert… there’s a great lesson to be learnt from Spain.

For each of these four countries I did the following things first:

  • Using a VPN I changed my IP address to each country. This way I experienced the local Google experience as if I was a business owner in these locations.
  • I initially searched for GDPR but quickly found out that due to local conditions (and translations) only Italy used GDPR. RGPD is used instead in France and Spain while in Germany the most common translation is datenschutz.
  • I then checked these terms in Google Adwords Keyword Planner to see if other more frequently used terms are searched (there weren’t.)
  • Then for each country I searched in their  local version of Google the most commonly used search term to find out the results.

France

Google results from Google.fr are similar in nature to the UK. There are no government websites in the top 10 results, although CNIL - the French autonomous authority equivalent to the UK’s Information Commissioner’s Office - comes in fifth. So not a terrible result.

But well below a Wikipedia entry, two private businesses touting for work and an IT blog post. Hardly ideal for French businesses wanting to avoid a hefty fine.

But like the UK the lack of links from official government sources about the regulatory change is amazing. Nothing on www.entreprises.gouv.fr and very little on www.economie.gouv.fr. So again a poor result and one that definitively requires attention.

Italy

This is actually worse. Zero government sources in the top 10 results of Google.it.

If you search in Italian for the search term equivalents of <government business website OR portal> the well positioned results of http://www.sviluppoeconomico.gov.it or http://www.impresa.gov.it (which pretty much says to go to the new web site at http://www.impresainungiorno.gov.it) both find no results for GDPR or RGPD.

The other results are from Wikipedia and private businesses offering services to meet GDPR requirements. A bad result for Italian businesses wanting information about complying with the new EU regulation. 

Germany

You'd think those incredibly efficient and effective Germans would run rings around their European partners. But unfortunately this is a repeat of the Italian experience. There are no links in the top 10 results to the Federal Republic, although an Austrian Government and Berlin City website are found. The Berlin site is well focused around the regulatory changes across the EU, so hopefully this will be sufficient for businesses across Germany. But this still leaves a lot to be desired.

Spain

Where the rest of Europe fails, Spain has come through strong with the only standout performance.

Governments in the EU should be looking to Spain and adopting their approach as the best practice template for helping businesses comply with the new regulation.

A search of Google.es for RGPD sees their government agency page for the regulatory change coming in at number one in the results. Better yet, it’s clearly from a government agency  delivering a strong sense of authoritative trustworthiness.

RGPD-espana

When visiting the page it continues building trust, clearly using the Spanish Government coat of arms in the top left corner.

The page itself is dedicated to the regulatory change and unlike other European countries that only referred to citizens and “organisations”, Spain actually takes a customer centric approach. Not only does it segment content with the heading “Businesses and organisations” the links are actually useful. Their help tool is a useful diagnostic that steps you through what you need to know about complying with the regulation. So great job there!

If you do come in through the backdoor of www.agpd.es there’s also easy to understand navigation to help you with the regulatory change.

What can your government learn for its digital experience?

Whether we’re specifically talking about the GDPR regulatory changes, or for that matter any important change to businesses in your jurisdiction its essential that you take responsible action.

Depending on your scope here are some key elements that will not only greatly boost the benefits to business, but better manage precious internal government resources:

  • Base your customer proposition around user centricity - blow away bureaucratic barriers and deliver what a business owner needs in one integrated digital solution
  • Walk in your customer’s shoes. Whether that relates to starting up, business development or regulatory change, you need to keep them front and center of your digital offering. Don’t just think about what they’ll need, but talk to them about their issues and deliver accordingly
  • With Google’s dominance as the starting point for businesses’ problems, your need your SEO and domain strategy to account for its needs. Google prides itself as acting as a proxy for what customers want. So ensure you’re delivering on a respected domain that Google expects a government website in your jurisdiction to be delivered on
  • When business customers reach your offering, make sure it helps them. Never forget business owners are often spending their few spare hours late at night working on their business. Help them in every way you can. Not only does that assist them, it helps achieve government’s broader policy expectations.
  • If you don’t take a customer centric one-stop shop approach, build partnerships with government portals to better position your consolidated business customer offering.