Your GDPR risk exposure extends far beyond data theft through hacking: the penalties are just as severe for misuse of data, such as from marketing activities without consent of the data owners.
In 2015, the pub chain JD Wetherspoons was one of the many British corporations to experience a data breach, although theirs saw more than 650,000 customer records stolen. At around the same time TalkTalk lost approximately 15o,000 records, and TalkTalk were fined a record £400,000 fine for its negligent data security. Not even the UK government is safe, after an embarrassing data breach of its own educational cyber security site, Cyber Essentials. These fines pale into insignificance when compared to the GDPR penalties from May 2018: TalkTalk would have been liable for a staggering £59 million.
While the above made for great newspaper headlines, marketing-led breaches of the regulations have proven costly for other well-known brands:Honda and Flybe. On the surface, their actions sounded quite correct: they tried to ‘re-permission’ their customer databases by sending emails asking the recipients to update their details and to confirm their marketing preferences. Unfortunately, both were in fact contravening existing data protection laws by communicating with those who had opted out of such emails.
As ICO Head of Enforcement, Steve Eckersley put it, “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law… Businesses must understand they can’t break one law to get ready for another.”
Wetherspoons has taken different, more drastic approach. Namely, deciding that holding personal data is too big a risk, so deleted its entire customer email database.
While Honda and Flybe were fined a total of £83,000, what can you do to avoid falling into the same trap?
Start by querying the database, and filter out all contacts for whom you cannot prove marketing consent. But wait, your marketing department will be terrified: after all, what if you didn’t record that data? Wetherspoons has embarked on just such a corrective policy, and vast tranches of data are being deleted. Don’t underestimate the danger of marketing to those with whom you don’t have permission or, worse, marketing to those who had previously opted out.
Ensure you have policies and procedures to create a new opt-in process. Again this can cause conflict with marketing: the ideal is a ‘double opt-in’, so rather than merely ticking a box and clicking ‘submit’, the user then must respond to a confirmation email. The impact is still being measured, but response rates can plummet. Conversely, the quality of your marketing database is now vastly vastly.
Preserve your consent data. Consent must be provable, and far more than a tick box in an Excel spreadsheet or an entry in a database. You must preserve the email, or a data and time stamped record of the consent and the relevant policy in force at that time. A Document Management System (DMS) offers a perfect solution, but remember to encrypt the data.
You may need to create a whole new marketing campaign to attract fresh consent, but while this can carry a hefty price tag, remember that it may be offset by virtue of being accurate and up-to-date: marketing communications are expensive to generate, and often it is better to send 1,000 communications to ‘perfectly’ qualified leads, than a mass broadcast to 1,000’s who aren’t interested or – even worse – tag your email as junk.
Maintain proof of consent