James Jeynes, Chief Executive and Founder, MemNet shares advice on how to keep up the conversation without falling foul of the data protection rules
It’s a sad fact that a widespread misunderstanding of the EU General Data Protection Regulation damaged many organisations very badly in 2018. Who can forget the onslaught of unsolicited emails from retailers, banks, utility companies and membership organisations urging us to positively “opt in” to avoid being removed from their lists forever? How many of us heaved a sigh of relief at this prospect and did nothing?
Since then we have seen many different approaches to the regulation. Organisations in heavily-regulated sectors, where one false step could have serious legal and reputational consequences, have kept to their word and suffered more as a result. Many charities and not for profits, for example, found their membership bases reduced drastically.
We are aware of one organisation that lost eight thousand members – more than a quarter of its total database - overnight. Meanwhile others have taken the decision to relax their attitude, overlook their vows of silence, and are cheerfully contacting everyone again on a regular basis.
The reality is that data protection is all about common sense. The rules have changed and the fines for ignoring them are real, so they need to be taken seriously. However, the aim of the Information Commissioner’s Office, which enforces the data protection regulation in the UK, is not to catch anyone out. The recent changes are sensible and protect all of us as individuals.
It’s true that organisations can’t contact us without our consent, but that doesn’t mean that relevant messages can’t be sent to an already established database. The need for personal information to be protected as securely as possible – and deleted on request - is just good practice. It makes sense that anyone holding sensitive information should be able to justify for what purpose they are doing so.
For the organisations that hold customer data, the first place to start is to make sure that the right procedures are in place to keep personal information safe and to protect privacy. While this sounds straightforward, it’s surprisingly easy to get it wrong.
One of our associates, an expert in the field of data protection and the GDPR, cites a host of examples of casual breaches that have taken place recently, from government ministers accidentally showing the wrong side of a piece of paper to the TV cameras (think the BBC’s political satire, The Thick of It), to an organisation diligently employing a company to shred its sensitive documents once a month but leaving these documents unsecured in an open plan office between visits!
One of our directors also recently received an email (about the GDPR!) from a large membership organisation, which was also sent to several hundred other people. He knew this because all their email addresses were in the cc line of the address rather than the bcc. An easy mistake to make, but one that could have been avoided with a few simple checking procedures, and that could have landed the organisation in serious trouble.
Below are a few simple guidelines you can follow to make sure that you are on the right side of the regulations:
Customer consent – do you have it?
Can you demonstrate that everyone on your database has given you permission to contact them? If you are a membership organisation, the fact that they have joined you will be a good enough reason to be holding their details. But, make sure that any information you send them is within this context.
Deletion is forever
On the sad occasion when someone does request to be removed from your database, you must have the ability to delete their records completely and within a short period of time. A report by Talend shows that over the past year only 26 per cent of UK businesses have successfully addressed data requests from individuals seeking to obtain a copy of their data within the one-month time limit required by the GDPR. If you still have customer information in a variety of different spreadsheets or folders, it’s time to invest in a new database so that every customer has one record.
Offer personalised communication choices
Does your mailer system allow you to send targeted messages to different people? Some of your customers may want to receive information about one subject, but not another. Ensure that someone can unsubscribe from a particular newsletter without removing themselves entirely from your mailing lists.
Invest in ISO9001
Achieving the ISO9001 quality management standard is an exercise well worth undertaking. It will ensure that your processes are robust and that goes a long way towards achieving GDPR compliance. Importantly, if anything does go wrong, it demonstrates that you have taken the right steps towards prevention.
We advise against taking a “wait and see” policy towards data protection and privacy. While the ICO is likely to be focusing its attention (and fines) on a few major transgressors, data protection is an incredibly important issue in terms of customer confidence and trust – both of which are essential to the reputation of any organisation. Start by reviewing – and tweaking if necessary – your procedures and processes and invest in the right technology which will allow you to continue contacting your customers with confidence.
Communication, communication, communication! They say every security professional needs strong communications skills these days - whether it's receiving the budget you require from the board or persuading your organisation to …