With the new General Data Protection Regulations approaching fast, it’s time to start deleting your customers’ dodgy data, says Peter Ducker
No one likes receiving unsolicited emails or spam, although dislike is probably putting it too strongly. Unwanted emails simply sit there unopened or are deleted automatically. Harmless enough? Not necessarily for the senders. Companies that do not respect the wishes of past, present or potential customers are already liable for fines, but the penalties are set to climb much higher thanks to the introduction of EU General Data Protection Regulations (GDPR) on 25 May.
Morrisons, Honda, Flybe, Islington Council and Carphone Warehouse have recently been fined for either being careless with the personal data they hold or for sending millions of emails to people who had previously told them they no longer wanted to receive marketing messages.
Under GDPR, which will replace the existing UK Data Protection Act, fines will jump from the current maximum of £500,000 or 1% of annual turnover to €20m (£17.8m) or 4% of annual global turnover.
Last summer, pub chain JD Wetherspoon decided to delete its entire emailing list. Observers speculated that the group might have lost track of which customers had given consent to be emailed for marketing purposes, and which hadn’t. The chain had suffered a data breach in 2015 when a third party stole the personal data of more than 600,000 customers.
With GDPR less than three months away, companies clearly feel increasingly uneasy about keeping large amounts of data of uncertain value. Wetherspoon chief executive John Hutson suggested that email was not an effective marketing method anyway because many consider it “intrusive”.
In order to be GDPR-ready, companies need to carefully go through all of their data; check exactly what they have, why they have it, and what they need to do with it in order to be GDPR-compliant.
The GDPR puts the onus on companies to actively seek specific permission from individuals to use their personal details, such as emails, phone numbers and postal and IP addresses. Relying on preticked boxes or inaction (ie not unsubscribing) will not constitute consent.
Furthermore GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
A hotel that has amassed the contact details of all its previous guests, for example, cannot send marketing messages to them unless it first has their permission.
Although preparing for GDPR may seem onerous, it is an extension of legislation that already exists and is intended to prevent sloppy and potentially dangerous practices. Businesses can tend to hoard data. You may be surprised by how much data you hold that is out of date or of no use to your business at all. Carrying out a data spring clean may actually make you feel good!
Peter Ducker is the chief executive of the Institute of Hospitality
Videos from The Caterer archives