Did Wetherspoons delete all customer data for fear of GDPR’s imminent arrival?

Pub chain Wetherspoons has announced that it is deleting all customer email addresses stored in its database.

Wetherspoons will update special offers on its website as well as on its Twitter and Facebook pages instead of sending newsletters.

“Many companies use email to promote themselves, but we don't want to take this approach – which many consider intrusive. Our database of customers’ email addresses, including yours, will be deleted,” wrote John Hutson, Chief executive at J.D. Wetherspoons to customers.

GDPR: Keep Calm & Put Your Cheque Book Away

Wetherspoons' decision to get rid of all customer data could be a sensible one, given that the upcoming GDPR legislation will impose heavy fines on companies failing to secure customer data or misusing such data.

The existing Privacy & Electronic Communication Regulations (PECR) imposes fines of up to £500,000 on erring firms, but the EU General Data Protection Regulation (GDPR) will impose fines of up to €20 million or 4 percent of a company's annual turnover, whichever will be higher.

Companies like Honda and Morrisons have already faced fines of £13,000 and £10,500 respectively by the Information Commissioner's Office for sending emails to customers who had either opted out or never gave explicit permission for receiving marketing emails. Had GDPR been in place, the fines faced by such firms could have been much higher.

Brexit and GDPR: How will it affect you?

"On a risk basis, it’s just not worth holding large amounts of customer data which is bringing insufficient value. This could be the case even where the organisation is clear on which customers have given consent to marketing and which haven’t," said John Baines, Chair of The National Association for Data Protection and Freedom of Information Officers to Wired.

Security consultants at the NCC Group have calculated that had GDPR been in place, fines imposed by the Information Commissioner's Office in 2016 would have been £69m rather than £880,500. They also calculated that while TalkTalk was charged with a fine of £400,000 last year, it could have faced fines of up to £59m had GDPR been in place.

US firm pays $115mn as data breach settlement; UK firms totalled £3.2mn last year

A YouGov survey of 2,000 UK businesses recently revealed that as many as71% of them are unaware of the fines under GDPR. Of those who are aware, 21% will make small-scale headcount reductions and 10% will cut staff by significant numbers to cover large fines under the GDPR. Only 29% of all businesses have started preparing for the GDPR, which has led experts to fear that a majority of them will not be ready when the new rules come into effect.

“These results are concerning because with next May’s deadline fast-approaching and with so much at stake, our study reveals there’s a very real possibility that the majority of organisations will not be compliant in time,” said Joanne Bone, partner and data protection expert at Irwin Mitchell.