GDPR Friday: Two Perspectives From ROCCO

GDPR Friday: The Great Spring Clean

By Jason Bryan, C.E.O. ROCCO

Happy GDPR Friday. With its Millenial feel, GDPR Friday is here and is a day to feel less oppressed from spam, protected, and empowered. The amount of MNOs who are reporting that they didn’t even know they were on some vendors mailing lists… its been confusing, but somehow the opting out feels like a good spring clean. If you could choose only 10 companies you want to hear from, would there even be 10?

One MNO reported to us:

“Do many vendors think that sending unrequested email is effective, time saving or reduces costs of sales? Some mails I get from Vendors make me want to avoid them”.

The truth is for many years vendor’s reminders to check their website, or contact their sales personnel, or that they are opening an office on the other side of the world have been counter-productive. You have to give something relevant in return and effectively up-your-game, you have to get personal in your approach. Customer segmentation is after all not rocket science and yes, you have to make time.

Another MNO told us:

“All I get is messages saying – hi, by the way we are going to this meeting (you are already aware that we go to, but by the way we are still going)”.

We get it, investing in making physical connections by attending meetings is costly, but the time when having relevant, non sales orientated content has truly arrived.

Plus, c’mon if you’re going to invade someone’s personal space, give something for their time, some actionable data that under GDPR warrants them staying on your mailing list. Give them note-worthy insights, research and development news, a reason for taking up their time.

At ROCCO we always worked on the premise that “trust” is not established by sharing what companies share with us confidentially, so we never shared any personal, private or similar data. But we also take pride in reporting some important stuff.

In the case that you’re interested in insights, consider how ROCCO can help. We are highly connected and also have a specific Insight Community of MNOs willing to give opinion on products and services, brands and strategy. Listen up to ROCCO RADIO to see what we are doing these days or indulge in data with our latest reports.

May your inbox be tidy and interesting.

GDPR & The Escalating Data Privacy Drama

An article by Polina Hristova

This is actually perfect timing – following the consumer privacy scandal involving Cambridge Analytica and Facebook, as well as the further sensitive revelationsregarding the Equifax case, the General Data Protection Regulation (GDPR) will go into full force this May 25, 2018. It looks almost like a consequential measure to the aforementioned disasters, but GDPR is actually the result of a four-year effort. The recent data debauchery helped underline its importance immensely and reinforced its once controversial nature. Europeans are spooked and terrified.

The GDPR aims to protect all EU citizens from privacy and data breaches, a threat that’s evolved way past what it used to be since the 1995 directive, and it’s now become one of the EU residents’ top concerns.

GDPR will replace the Data Protection Directive 95/46/EC and transform into a binding legislative act. Not merely a goal to aspire to, guiding the EU members; past the 25th this month, it must be applied in its entirety across the EU. And the noncompliance fees are staggering.

It will affect all organisations who hold and process EU residents’ personal data, regardless of geographic location. Everyone must be quivering in their boots. The punishment can be as high as €20 million or 4% of a company’s total global revenue… whichever is higher. The fines are somewhat tiered, e.g. a company can lose 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment.

These rules apply to both controllers and processors. Controllers determine the purposes, conditions and means of the processing of personal data, while the processors… well, process, personal data on behalf of the controller. Some businesses might even need to appoint a Data Protection Officer (DPO).

To avoid getting smacked in the wallet:

“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states maylegislate for a lower age of consent but this will not be below the age of 13.” (GDPR FAQs,


“DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.” ( GDPR FAQs,

What about those affected by Brexit?

If your activities are exclusively limited to the UK, then the position after the first exit period is unclear. Meanwhile, GDPR will be enforced for the UK and its citizens as well. It is suspected that equivalent or alternative legal mechanisms will be implemented, due to the support the ICO and UK Government provided to the GDPR pre-Brexit.

What if I don’t want to spend money to become GDPR compliant?

Naturally, some saw opportunity amidst the collective panic and contrivances such as GDPR Shields began to emerge, promising to efficiently block all EU-based traffic from accessing a website… which is a somewhat useless measure. The EU citizens are protected by the GDPR regardless of where they are located in the world. These services are not free, of course, and sites that want to implement it have to pay monthly fees from $9 upward. Unfortunately, many would rather pay for a shield than become GDPR compliant and thus, shutting out millions of EU users from websites owned by companies who do not want to spend thousands of dollars. But again, a shield does not grant full coverage – 3.0 million EU citizens live outside EU territory. Good luck with that.

Some companies have simply chosen to abandon the EU market. Examples of companies and services that have withdrawn from the EU market because of GDPR include: Verve (online marketing), Ragnarok Online (online game), SuperMonday Night Combat (online game),Unroll (email subscription service), Brent Ozar Unlimited (software supplier), Tungle (gaming software provider), and Drawbridge (cross-device identity service). There are probably many more, but those are amongst the companies who have made their decision public.

If you’ve enjoyed our content, read on at Our Website or tune into ROCCO RADIO on iTunes and Soundcloud.