Thursday 08 February 2018

2018. In China, the Year of the Dog. But for us in the EU it is the year of GDPR.

And so it was that in early February, PM Forum South West members assembled at Clarke Wilmott’s Bristol office for an enlightening Q&A presentation on GDPR. With a light lunch consumed, and a spot of networking carried out, we got down to business.

The panel was chaired by Liz McCloskey of PwC and made up of three data experts.

Hilary Coote, the senior manager at PwC responsible for their GDPR strategy, legal and compliance proposition and markets in the central and southern UK regions.

 Sue Diver running the GDPR programme at Clarke Wilmott who memorably likened her role to “that bit in Jurassic Park when it’s observed that people were so focused on wondering whether they could, that they didn’t stop to think if they should”. She asks “Should we be doing this?”. With data. Not dinosaurs.

 Simon McNidder who runs a CRM and database consultancy for professional services companies called Database First Aid. Previously he spent 18 years working with CRM systems at PwC and Pinsent Masons.

 With three such esteemed and experienced advisers, the talk was bound to insightful and it did not disappoint. What followed was a packed question and answer session that provided some welcome clarity and common sense on the topic of GDPR (given as general information not specific advice). Let’s take a look at some of the highlights.

 What is GDPR compliance?

It is not prescriptive legislation and there is no case law, so in essence there is currently no precise definition. This is a helpful point to understand because generally firms are not as far down the data protection road as they might like. We don’t know what 100% compliant looks like, so it is something to be working towards rather than hitting in May. And remember, May is the start of GDPR, not the end!

 What are the penalties for failing to get your act together on GDPR?

There are obviously the penalties in the legislation which we are familiar with by now – 4% of global turnover etcetera. But the panel highlighted other penalties that could be damaging, and these were interesting to consider. Reputational damage of course could be very costly depending on the type of breach. Will you suffer a business development handicap if you can’t demonstrate in a tender that you have robust GDPR policies? The risk of class action law suits along the lines of PPI miss-selling... Food for thought!

 What counts as personal data?

Anything that includes personally identifiable information. So joe.blogs@company.com is personal data as it links a named person to a company. Info@company.com is not personal data because no name is linked.

 What faux pas have been made in trying to get data consent?

This was a topic that was revisited a number of times throughout the session, and a number of high profile cases were cited from other sectors.

FlyBe, for example, were fined by the ICO for sending 3.3 million “Are your details correct?” emails to people who had said they did not want to receive marketing emails from them. Honda sent a similar email to people who it could not demonstrate had ever given consent for marketing emails and was also fined. Sending an email asking for consent for marketing without consent is not allowed.

And at the other extreme, Wetherspoon’s deleted its entire database in 2017, thought to include hundreds of thousands of email addresses as part of an initiative to reduce the risks associated with data.

How do you handle people who exercise the right to be forgotten?

Anyone who has looked into this will be aware that it is a can of worms. The panel were very good at highlighting some of the major difficulties, and where possible solutions.

They covered some of the basics: delete as much information as possible, grey out what is left, mark them as unsubscribed. That will do a pretty good job of keeping them out of mailing lists. But what about the risk of a random person getting the contact details manually for whatever reason? There was a good tip here to counter that – spoil the email address with a typo!

There are other dangers too. Think restoring a system from a back-up. An invaluable tool but also a back door for reintroducing someone to a system who had been previously been removed following a right to be forgotten request.

And of course there will be some pieces of data that, for one reason or another, are just impossible to delete. You’ll probably just have to accept this risk and build robust systems to manage it.

A valuable, plain-speaking GDPR session
Many other insights were shared in the hour we had, including: 

  • How business development and events teams should be handling data they collect.
  • How frequently should you re-seek consent? (How long is a piece of string?!)
  • When does data switch from being of legitimate business interest to marketing and therefore require consent?
  • What about purchasing external data lists?

As the event concluded with a round of applause, PM Forum members left with some fresh perspectives, great insights and a renewed vigour for tackling the GDPR challenges ahead.

 

Written by Huw Bendon, South West Regional PR
Managing Director and Founder, On Point Copywriting