Peddling myths to harry the innocent

Like wasps to a pot of jam, the buzz of experts rushing onto the GDPR bandwagon is incessant. Leading cyber security entrepreneur Jane Frankland posted just two days ago ‘Can we really trust GDPR Products, Services and “Experts”?‘ and I found myself agreeing with much of what she said.

Given that a good deal of my time at the moment is spent trying to understand the GDPR and how it applies to clients mainly in the B2B events and publishing industries, I have trawled my way through lots of different articles from “experts”. My current role involves a constant picking apart of the legislation to understand how it applies to the nuances of individual organisations and their business operations. There is lots of great advice from the ICO and the DMA but the scope of what these bodies are covering is vast and much of it is generic so it is important to supplement their information with more specific details from elsewhere.

This research process does occasionally throw some complete curve balls, and today served up an absolute belter. While looking for insight into double opt in I came across the following comment in a blog by a Marketing Automation company:


Take a really good look at the last sentence in the first paragraph… Yes – you are reading it correctly – apparently people who attend B2B exhibitions are so naive that when they give a business card to a company on a stand they don’t think this is for marketing (i.e. contact about products and services) purposes and it’s the last thing they want. Really?! If you are having a chat with a sales rep at the bar and you give them your business card, are you just expecting them to add you to their Christmas card list or would you be more than a little surprised if they called you up to ask you if it’s OK to email you about the product you were discussing with one another? Surely personally handing over a business card is the most unambiguous form of consent there can possibly be…

I’m not entirely sure where the writer of this article has been hiding, but patently they have zero understanding of the way networking happens and business relationships are built. If you aren’t interested in a product, or you don’t want to be contacted by someone, you don’t give them your business card in the first place. They also haven’t grasped that in many instances business cards aren’t exchanged at B2B exhibitions; there’s this really cutting edge technology called a scanner where visitors voluntarily allow their personal data to be collected by the company whose stand they are on with a data protection notice already printed on the badge telling them not to do it if they don’t want to. Nor, I suspect, do any of the authors of the GDPR legislation intend it to hamstring business interaction in such a draconian way.

Double opt-in or confirmed opt-in is another favourite of this same marketing automation ‘expert’:


Now, there is some merit in a double opt-in process, as described by Mailchimp:


The above describes clearly how double opt-in is a mechanism for keeping your data clean and relevant, saving you time and money. As opposed to the previous one which is peddling it as a legal necessity. Think about this – some commentators say you need double opt-in because someone might be signing you up for multiple porn sites as an act of revenge – but chances are that if they are vindictive that person also knows how to access your email account or the stream of ‘please confirm your subscription to …’ emails will cause more than enough distress. In the B2B context, is this likely?

If you are following the pathway to GDPR compliance, you should have a very clear ‘opt in’ statement on your data collection forms at the point at which the data is collected as specified in Article 7 of the Regulation. In my humble opinion this is sufficient proof that someone actually intended to sign up for an event/requested to receive a newsletter/asked to download a piece of content. Given that at every contact point from there on in, the recipient is able to opt out again, suggesting that double opt-in is mandatory is a mendacious attempt to extract fees for unnecessary services from credulous companies who have not had the time to study the legislation in detail.

GDPR will affect your organisation in one way or another, and undoubtedly you will need help along the way. But please, let common sense prevail, and make sure that you filter the advice you are being given according to the agenda of the person giving it.

Advertisements

Event businesses risk all

Leading law practice Irwin Mitchell have recently conducted a survey of 2,129 senior decision makers within business and the results are pretty astonishing.

With just under a year to go until implementation, only three in every ten have started to prepare for GDPR and 35% are unaware of the new rules, including fines for data breaches.

You would like to hope that one sector at least, marketing and advertising, would be completely up to speed; but no, only 34% admitted in the survey that they were aware of the GDPR and 17% admitted that the maximum punishment would force them out of business. Given that event companies are often included in this sector, it would not be too much of a stretch to apply the findings to them as well.

We do need to reign back on the worst case scenario a little, because it is the job of law firms to paint the picture as black as possible, but there is no doubt that any organisation that is not taking the legislation seriously could find themselves in dire straits. The fines are likely to be at their largest for those which cannot demonstrate the measures and processes they have taken to keep data secure and the mechanisms for spotting a data breach.

Firstly, what constitutes a breach? Essentially this is an incident where there is an impact on an individual’s privacy. At one end there is a wholesale hack of customer data, at the other a confidential letter put into an envelope addressed to someone else, with the downloading of un-encrypted data onto an unprotected laptop somewhere in between. Not forgetting of course, the member of staff who leaves you to go elsewhere taking your sales/marketing database with them. Where this begins to impact the business is that in certain instances you need to report the breach to the ICO within 72 hours.

So, if you can’t identify that you have a breach, possibly because you don’t know where all of your data is, how are you going to report it at all, let alone within three days? If you, like 63% of the marketing and advertising companies in the survey, aren’t confident that you can notify the relevant stakeholders within the timeframe, then you are automatically putting yourself in the frame for a fine.

Plus, just being able to identify and, potentially, report the breach isn’t the end of the matter. There is a specified format for the type of information you will need to provide, including the number of records affected and your mitigation procedures. If your data isn’t secure, compliant, your contracts with your Data Processors cast iron and your procedures professional, not only could you be facing a financial penalty, but you could find your business tied up in knots for a considerable period. If you are running a really lean operation, this could prove catastrophic.

Cutting through the cacophony of GDPR

Childrens party2So you just received yet another email from someone telling you ‘everything you need to know about the effects of GDPR’. You click on it, hoping that this time it will actually give you some guidance about what you can and should be doing. But oh no – it’s yet another person/company who has done a cut and paste job and that hard to decipher legalese is all still there on every single one of the 30 pages or more.

Sigh…

Having spent considerable amounts of time recently working through the 99 articles and 173 Recitals that make up the Letter of the Law, I can tell you it is a tricky old bit of legislation to get your head around. But it isn’t impossible.

Firstly, if this is the first you have heard of the GDPR then you are a little slow on the uptake. We’ve known it has been coming since 25th January 2012, with formal adoption starting early last year – so we’ve had a year of the two year transition period already. You’ll hear some people say that full details around the legislation are not clear – but that’s not true. The majority of it is set and it is just the greyer areas where more guidance is required that are being ironed out. So you can’t really use that as an excuse not to get a grip on it now either.

So what do you need to do? Don’t panic. Event companies are unlikely to hold Sensitive Data as defined in the Regulation. Nor are you likely to have lots of Data Subjects wanting to utilise the Data Portability option, or Subject Access Requests for that matter.

My suggestion for your first step towards GDPR compliance is to appoint someone to take ownership of the task. They are going to have to take a few things out of that notorious Too Hard box, so they need to be someone who is dogged in the face of obstruction and obfuscation. They need to have the ear and support of a member of the senior management team. And they need the discovery skills of Sherlock Holmes.

As soon as possible they need to make a list. And if your event company is anything like some of the ones I have worked with over the years, it is likely to become a very long one. Because this list is going to have to cover Every. Single. Database. Yes, every spreadsheet, .csv file, filemaker, Salesforce file on every laptop, computer and server that contains personally identifiable data. They need to know:

  • Where it is stored
  • What data it contains (i.e. fields)
  • How many records
  • When it was created
  • When it was last used
  • What is it used for

It’s not a pretty job. But this is your starting point. Until you know how much data you have, who has access to it, where it is kept and how much use it is, you will have absolutely no idea what solution you need and how much time it is going to take to become GDPR compliant.

So, don’t worry about the details of the legislation right now. That isn’t going to change any time soon. Just start with this one task and it will create your roadmap to compliance.
Hellen @missioncontrol

The great marketing turn-off

The ICO (Information Commissioner’s Office) published their annual report earlier this year.  As well as dealing with data protection issues in the UK, it also gives the top 10 reasons for complaints made against marketing activities.

With 27% of complaints being about email, automated calls, live phone calls and SMS, and direct marketing businesses accounting for 14% of all complaints the question we have to ask is why are do so many people get it so wrong.

Part of the problem is that there is still an obsession with size.  A dirty database in the thousands is still perceived to be better than a tightly targetted, recently verified one of modest proportions. 

Next on the list of heinous crimes is thinking that it is OK to bombard the database with message after message.  The logic of this is that although most people will delete or ignore you, a proportion of your list is bound to respond.  Even with the weakest of messages this tactic will work for a while.  The problem comes when the database has been misused so much that the supression list becomes as large as the remaining viable data.

But still it is addictive.  Few are brave enough to resist the numbers game.  Yet by sending out messages that mean nothing to the recipient the chances are that current and potential customers are being turned off before you even start to turn them on.

Hellen @missioncontrol