That’s a scary stat but I thought it was a poignant one. SME's in all sectors are so reliant on customer data that if they don't get their house in order they could kiss goodbye to all, or a seismic chunk, of their customers and potentially their businesses from the 25th May 2018.
In a world where data gives unprecedented power to organisations: whether national, corporate, political, charitable or ‘other’ data is used as a weapon, and where politicians openly foment racism and division within communities (aided in no small part by the use of massive stores of personal data harvested from devices and accounts), we should no longer look at data protection as solely a matter of legal compliance, Instead we should view it as an act of social responsibility, user protection, and quite possibly, as a safeguard against what may be to come. You have a role to play as you're ultimately accountable to your customers.
So with only a few months to go before the General Data Protection Regulation (GDPR) and ePrivacy Act’s becoming enforceable across Europe, it’s time to think about your User Privacy and Data Security.
What do I mean by this and how does this relate to your industry (an industry reliant on the collection, sharing and manipulation of data)? This means meticulous data hygiene is needed. Identifying who at any event you host is the UK or EU is a resident, WHAT data is collected about them, WHERE it’s stored and HOW it’s used. If you use third parties such as hotels or if you have travel partners, the law also applies to them so do they comply? You’re liable for all the data you share with a hotel, an airline or any other third party, as well as accountable for how they manage it, so are they GDPR compliant?
Fundamentally this is all about placing the rights of the consumer ahead of your own – establishing privacy as a fundamental human right is key. So for you this ranges from not using ‘pre-ticked’ boxes on a signup page to the sharing of delegate lists like sweets in a playground.
It's also more than just name and address; it also includes details about income, health, frequent-flyer and frequent-stay accounts, birthdays, age, food preferences, allergy notifications, cultural and ethnic background, etc.
Although 95% of businesses in this industry are addressing GDPR, how many are effectively doing so or taking it seriously is unclear. Many businesses feel it’s another headache they could do without, viewing GDPR as ‘Red Tape’ to resent so what’s the worst that can happen if we ignore it.
THE RISKS ARE HUGE AND BREXIT WON’T SAVE YOU.
As a worst-case scenario, many companies who do nothing or fail in their responsibilities can face fines of 4% of their global revenue. To put that in perspective; if Uber had been caught after May next year they would be stuck with a fine of $260m. If The Hilton’s 2015 data-theft was after May 2018 then they wouldn’t be looking at a poultry $700k fine but a $420m fine. These are serious numbers.
But “Hang on a minute!” (I hear you cry), “These are massive companies, data silo’s, we’re an agency, hardly "significant" enough.” Yes, yes you are. GDPR is self-funded which means that all EU States (yes, including us) not only have to adopt it, we have to enforce this universal law from our own pockets.
What this means is that as it’s funded by itself, the more fines the ICO enforce the better funded they are to track everyone down - including you – be that by encouraging consumers to report suspicious data uses or (god forbid), a redundant PPI firm offer Joe Bloggs a free ‘Subject Access Request’ to chase companies down who have to prove all the personal data they hold.
IS THERE AN OPPORTUNITY HERE?
So what if, and bear with me here, what if rather than viewing it as a problem it was viewed as an opportunity. You are after all in the same boat as everyone else, you’re not being singled-out (even though it feels like it). Your advantage here is in your competitions apprehension to embrace change; when in fact a change in their relationship with data means reinforcing that trust with their clients.
As consumers and businesses realise their rights and responsibilities, any business that isn’t GDPR compliant will be ditched for one that is so why would you wait? Your hard-earned credibility will be judged on your ability to care – which you do, but only now you would have to evidence it.
Personally, and granted I’m a little bias, I feel that what the EU have achieved with the GDPR in 5-years is great on so many levels; not least how they managed to get 27 + 1 Member States to agree on one overarching law when they often squabble over wine choices.
The GDPR is to Data Privacy in the 21st Century what the Health and Safety Law was in the 20th. A single Directive handing power back to the consumer and establishing privacy as a “fundamental human right”. Privacy 2.0.
IF YOU LOVE THEM LET THEM GO, IF THEY DON’T COME BACK IT WASN’T MEAN’T TO BE!
So now I’ve put the fear of god onto you, how do you now step up? Initially focus on ‘Consent’ and ‘Evidence’.
Do you have explicit consent for that person to be contacted, and for that reason? If you don’t know then you need to seek their consent by re-permissioning. If you’re concerned they won’t come back to you and you’ll lose 75% of your database then take the medicine and get over it, they were never going to engage with you again anyway so embrace those who will. The value, ultimately, is in those who do.
Also, do you have the minimum required to fulfil what they want from you. If they want to be notified about future events, asking for their blood-type and any medication is overkill and not considered reasonable so keep your data to a minimum.
Once you have their consent make sure it’s evidenced and you can prove it. Many a hotel has compiled a database by collecting cards with contact details to complete and then destroying the evidence that the delegate consented in the first place. This won’t be legal so keep that evidence.
That’s just two challenges for you, now here’s our 12-point ‘to-do’ list to lead you on the road to compliance:
- Create an inventory of all the data you hold, both online and offline, internal and external, for active projects and dormant ones.
- Create privacy information notices for all products and services.
- Review your consent processes across all projects.
- Review your Subject Access Request process.
- Be prepared to meet requests for data rectification and erasure.
- Implement any data portability processes that might be required for client projects.
- Review any processes concerning data you use or transfer for the purposes of behavioural tracking or marketing.
- Review your data breach process.
- Review your data security standards.
- Implement PbD into your workflows for all future projects.
- Review contracts with any third parties with whom you give or receive data.
- Review your basis for sending or receiving data outside the EU.
It doesn’t have to be the nightmare you perceive it to be, like filling our your tax return; if you have the receipts and the invoices it’s just data input. The headache comes when you haven’t.
About the author:
Nigel Bywater is from Engaged’Em (engagedem.com) who specialise in responsible consumer engagement and are part of The Coded Garden Limited. Nigel has 21 years experience in web deployment with a focus on ‘Ground Up’ Data Privacy.
If you need help with any of your Data Privacy then you can register your interest at engagedem.com