A recent global study found that there is a one in four chance that your business will experience a cyber attack leading to the breach of customers’ personal data, at an average cost to a company of £2.79 million.
Is your business prepared in the event of a breach?
In 2015, pub chain JD Wetherspoons was one such organisation to experience a data breach, when over 650,000 customer records were stolen. That's four times as many that were taken after the attack on TalkTalk around the same time; a breach that saw the telecommunications company receive a record £400,000 fine for its security failings. Not even the UK government is safe, after an embarrassing data breach of its own educational cyber security site, Cyber Essentials.
Yet while £400,000 is no small amount of money, had the breach taken place after the General Data Protection Regulation had come into force, the punishment for the company's negligence would have been considerably more: £59 million, to be exact.
With the prospect of escalating fines being potentially catastrophic to small and medium-sized enterprises (4% of global annual turnover being the biggest under GDPR), staying on the right side of the new laws couldn’t be more important. Not just to ensure data security, but data privacy and compliance, too.
Unfortunately, even this process is fraught with danger – as the likes of Honda and Flybe experienced. In trying to ‘re-permission’ its customer database (emails asking them to update their details and/or confirm their marketing preferences), they were in fact contravening existing data protection laws by communicating with those who had opted out of such emails.
As ICO Head of Enforcement, Steve Eckersley put it, “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law… Businesses must understand they can’t break one law to get ready for another.” The companies were fined a total of £83,000.
Wetherspoons has taken different, more drastic approach. Namely, deciding that holding personal data is too big a risk, so deleted its entire customer email database.
An article from Wired reports that Wetherspoons considered email marketing as “intrusive” and suggested that its customers follow the company through its social channels instead. Speaking to Wired, a Wetherspoon spokesperson said, “We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”
While it may be true that Wetherspoons believe email marketing is intrusive, cynics may conclude that the real reason the database was wiped was because the company never sought (or couldn’t prove) it had permission to send marketing emails in the first place. In which case, as Honda and Flybe might agree, it may be cheaper and easier to have a clean slate than seek marketing consent retroactively.
Of course, as many businesses depend hugely on their email database, starting from scratch simply isn’t an option. What can they do?
Don’t assume you have to re-permission everyone
Give existing customers a clear opportunity to opt-out
A simply worded (and GDPR compliant) privacy statement explaining how you plan to use customer data and their right to object to its use and collection will provide you with the clear, affirmative consent required to meet GDPR standards.
Make sure you have detailed (and easily accessible) records of this consent being given. Even more important, ensure this message is sent to customers who have consented to emails already.
Be diligent with third-party data
If you need prospect contact data, ensure it is acquired only from a trusted partner that conducts its own GDPR-compliant consent checks.
Delete when you have doubts:
You don’t have to go to the same extremes as Wetherspoons, but it’s better to delete a record you cannot prove consent for than be fined for holding on to it. Only keep the data that you really need – fewer records means less chance for trouble!
Maintain data quality
Keeping your records up-to-date with a continual procedure for data cleansing and enhancement will ensure data is accurate and maintains its compliance.
There is little escaping that GDPR will see email databases shrinking while you get your house in order and customers exercise their rights for greater privacy. But the loss of quantity should also see an increase in quality – and isn’t modern marketing supposed to be about being more effective and relevant?
White Paper The General Data Protection Regulation
A Practical Guide for Businesses
This White Paper also covers:
- The global scope of GDPR
- How GDPR will change consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcements