“Before Google, and long before Facebook, Bezos had realized that the greatest value of an online company lay in the consumer data it collected.” – George Packer, author for the New Yorker
This is true for all businesses who collect client data not just these online behemoths. The General Data Protection Regulation (GDPR) which came into force on 25th May this year aims to redress the balance of how companies can use client data. The regulations give your clients a greater deal of control over their data with tenets of the regulation including the right of individuals to be forgotten taking centre stage.
In something of a blind panic and misunderstanding of the regulations, some companies prior to the regulation were sending emails asking people to opt in to mailing lists that, at best, had been long forgotten and gathering digital dust or, at worst, they may have not opted in to in the first place – the latter action in itself being in contradiction of existing laws. Some companies, such as Unroll.me, took the drastic step of have ceasing operations in the EU – such was the dubious foundation of their data collection.
However, like the millennium bug before it, the world did not end on 26th May. Unlike the millennium bug, the repercussions of GDPR and other regulations such as PECR (the Privacy and Electronic Communications Regulations) are real and ongoing.
You can never be too careful
It is easy to be blasé about the regulations. Our advice is don’t be. It is easy to fall foul even for companies that are tech-based and, one would presume, ought to know better.
The Information Commissioner’s Office (ICO) has already claimed some high-profile scalps:
> BT – fined £77,000 for five million spam emails to customers
> Yahoo – fined £250,000 for compromising the data of over half a million UK email accounts
> Carphone Warehouse – fined £400,000 for a data breach affecting records of over three million customers.
The Carphone Warehouse fine was one of the largest ever issued by the ICO. However, it did not seem to act as an effective deterrent as they have had a subsequent data breach which may result in a further fine of a staggering £400 million. Coupled with store closures, this could represent a “perfect storm” where another high street name bites the dust.
Our recommendation, is that if you haven’t already secured your data that you do so immediately. Under GDPR, a serious complaint can lead to a fine of 4% of turnover or €20 million whichever is the greater.
Now that the dust has settled you may have concluded that GDPR compliance is a marathon and not a sprint. No one was fully prepared before 25th May and the interpretation of the regulations varies from company to company. Furthermore, the ICO are changing the rules of engagement with the introduction of data protection fees – something they announced after 25th May.
> A few things to bear in mind if you are still unsure of what you need to do:
> Pay your data protection fee to the ICO – if you are processing personal data then you need to pay the fee. More details here
> Get a thorough understanding of the basis for data processing – you may have read a lot about getting consent, however, it is not the only basis for data processing. Under legitimate interests processing you may not need to fully eradicate your legacy data as is commonly believed and you can, with due caution, harvest further data. However, we would recommend that if you are holding any old data that you purge it immediately.
> Professionalise everything – we recommend that you conduct a thorough data audit and document what you have in terms of data and what the sources are. This makes it much easier to identify what needs to be kept and what needs to be jettisoned. Document why you need the data and what basis you have for processing this data.
> Dive deeper – pre-GDPR it was almost a badge of honour to have a huge list. GDPR presents an opportunity to really look at the data and identify who has engaging with your marketing communications. As a rule of thumb, if they haven’t opened your emails in the last two years – delete them.
> Lock it down – cleaning up your data is only one, albeit big, part of the equation. Apart from damaging your reputation with your clients, a cyber-attack can, as we have seen, lead to a big fine from the ICO. Make sure that your website is secure and that you have processes in place internally for sharing data. We recommend password protecting and encrypting databases where possible.
As we realise that the regulations can be daunting, we have put together a dedicated page on our website devoted to GDPR compliance and the evolution of hotel PMS software, restaurant epos and meeting room booking software towards meeting the regulations.
While you are there you can also download a copy of our popular “Easy Guide to Being GDPR Compliant” which is packed with useful and actionable advice.
Finally, hear what our CEO, Luis Desouza, has to say about the opportunities the new regulations present: