Last June JD Wetherspoon deleted its entire email database. Why? They weren’t explicit other than stating: “We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.” JD Wetherspoon was subject to a data breach in 2015, which set the wheels in motion, and with the General Data Protection Regulation (GDPR) coming up in May, the pub firm clearly decided it didn’t have the appetite for fines of 20 million Euros or four percent of company turnover (whichever is greater).
The noise surrounding GDPR has been impossible to ignore and will only get louder as we approach deadline day. Companies across the UK are desperately trying to figure out what state their email marketing database is in (this is one part of GDPR – there’s more to it) before making strategic decisions on how to approach this new legislation. The latest on GDPR and the Privacy and Electronic Communications Regulations (PECR) can be found on the ICO website. In the meantime, here are a few considerations for your hospitality business.
- Do you understand the legislation? Have you done your homework? Don’t use news headlines as a basis for your information. There is plenty of good advice on the ICO website and the GDPR portal as well as advice from the Article 29 Working Party. Take the time to understand the requirements in the context of your organisation and other applicable legislation. If necessary, take legal advice.
- If you are focusing on penalties that come with non-compliance of GDPR, you are doing it wrong. GDPR is the right thing for consumers and they are critical to your business. Focus on your customers and they will look after your reputation.
- Educate your business. Regulation matters to your business and should not be left to the data protection officer to do in the corner on their own (a Data Protection Officer is required for organisations with more than 250 employees, or when the core nature of business is personal data processing). Your employees are amazing and have the answers to all those challenges that arise. Let them help you embed it into your culture.
- Make sure you assess your existing systems. Data privacy impact assessments are a good way to do this. Ensure this includes a data flow map as it really helps with the auditing of systems. Document your decisions and make sure management are included in the risk and decision-making process.
- Review your privacy statements to make sure they are GDPR compliant. Your legal basis\processing purpose should not only serve your business now but should also future proof you. Getting this wrong may mean you will need to seek additional consent later.
- No one wants to read ten pages of jargon in a privacy statement. Keep it clear, informative, concise, honest and user friendly. There are specific criteria that need to be included in the privacy statement, so make sure they are all covered.
- Don’t be sneaky. If your lawful basis is consent, this needs to be an affirmative action by an individual. Pre-ticked opt in boxes, silence or ‘tick here to opt out’ are not valid mechanisms for consent. Check the ways in which you are collecting information.
- Take stock of the personal data that you are processing. Audit what you have. If you don’t need it, don’t collect it. There is an extension of the definition of personal data related to GDPR, so make sure your assessment of personal data has a full scope.
- Security! Security! Security! Your customers’ data deserves a duty of care; data is your biggest asset. Follow the data flow and make sure it’s protected appropriately at all stages of its journey. This includes storage, transfer and access to information and location (adequacy checks are required outside of the EEA).
- Know the data subjects’ rights. After all, you’ll need to be able to respond to customers exercising them. How will you deal with these? Keep it simple, but repeatable. Don’t over engineer, it needs to be proportional to the risks you face.
- Don’t believe the hype! No software is a silver bullet for GDPR. Software can support good governance, but cannot do it on its own.
- Processes matter! Have processes in place to ensure data is processed for the purpose it was collected. Keep it simple. Unduly complex processes are doomed to failure.
The ICO website is providing targeted advice in all areas of GDPR, but don’t forget, PECR regulations are still important when it comes to email and SMS. Get reading!
By Mark Cooper, Head of Technical Operations, at data marketing agency, Celerity