Taking data security seriously – six months of GDPR
The General Data Protection Regulations (GDPR) set out to provide consumers with greater privacy and security and this has certainly been achieved in the six months since implementation. But what have emerged as the pain points for businesses since May 25th 2018. What can we learn about progressing customer relationships in the commercial space, within the new legal framework?
Dealing with ‘rise in subject access’ requests
GDPR is placing administrative strain on sectors such as retail and hospitality because of the ease with which it is now possible for customers to make a ‘subject access request’. Legal experts estimate that business have seen a 50% increase in subject access requests since GDPR was introduced. The pressure is on to understand customer data, know how to provide access or to present it when required, and to understand any legal obligation to delete. Not surprisingly, expert legal advice and totally secure storage of data are two areas that companies have been focused on in the last six months.
A subject access request allows anyone to ask what data a company holds on them, and ask for it to be deleted. Under GDPR, companies are forced to respond in 30 days, free of charge. For some companies it’s already proving to be a struggle to deal with the volume, to manage the request within the time limit, and to understand whether it’s necessary to erase the information or not. Many retailers, for instance, need to keep certain data for product warranty purposes.
Lack of joined up compliance
Trade press coverage of how retailers and hospitality groups are coping with the challenge of providing or deleting customer data suggests there is patchy compliance, six months into the GDPR regime. For instance, some of the big supermarkets will have loyalty card data, as well as ecommerce customer data that isn’t necessarily stored under one customer identity so there is general confusion in head offices around what exactly to provide to customers when they are contacted.
This lack of a single view of customer data doesn’t bode well for retailers and hospitality groups. Many are working with network and data storage specialists, to help them clean up, secure and streamline the way that customer data is stored and managed.
Uncertainty over fines
Retailers will be following high profile test cases with interest in the coming weeks and months, keen to discover what levels of fines are delivered under GDPR. Major data breaches at Ticketmaster and British Airways are currently being investigated, by the Information Commissioner’s Office (ICO).
Both companies will soon discover how heavily the ICO will come down under GDPR. The size of these fines could well set the precedent for future breaches, say legal experts. Despite BA’s quick reporting of the breach, experts think the airline could be hit by a huge fine under the GDPR. Previously, the largest fine issued by the Information Commissioner’s Office (ICO) was £500,000. However, under GDPR, firms can be fined up to 4% of turnover, which in BA’s case would amount to an eye-watering £500 million.
Regulators each take a different approach
When it comes to fines it’s believed that the UK’s data regulator, the CIO, will take a pragmatic approach, based on its communications so far. However, other regulators in EU member states could take a more robust approach. France’s CNIL regulator and some of the regional German data protection authorities could well less compromising in their enforcement.
Peace of mind
A huge benefit of GDPR is the data clean-up job that firms are required to complete, particularly when it comes to email opt-ins for CRM purposes. For large retail and hospitality companies, being certified as GDPR compliant is going to make marketing to fully-signed up brand fans more effective. Secure data and compliance will also boost a business’s reputation as trustworthy in the eyes of potential customers.
And under GDPR, a third party’s breach of customer data is still the responsibility of the customer-facing organisation. This has led to retailers and hospitality firms carefully reviewing all the contracts they hold with these partners to ensure there are no accountability ambiguities.
GDPR has also encouraged large companies to formally appoint a Data Protection Officer (DPO). The regulation states that DPOs must have “expert knowledge of data protection law and practices”. Businesses are hopeful that having a named officer – fully trained in data security and responsible for compliance and cybersecurity – should lead to a dramatic reduction in data breaches. Hard work around compliance is paying off.
Never too late to get your data in order
After all the anticipation of GDPR, are businesses able to relax six months on? Unfortunately not. Many retail and hospitality companies are continuing to streamline their data collection and hosting procedures and audit their practices. Many still worry that they are not compliant. Some organisations can lack the proper methods for storing, organising and retrieving data in line with the regulation’s requirements, and this combined with the strict guidance on re-permissioning emails could mean a large number are in fact, still not fully compliant.
Our advice is: don’t lose any more time getting your data house in order. Being GDPR compliant puts you in the powerful position of truly understanding your customer data, and able to leverage it for commercial advantage. Getting this right means you’ll keep your customers happy and safe too.
Read our tips on GDPR compliance here.