GDPR comes into force on 25 May. That is a fact. Unfortunately a lot of the other information circulating about GDPR should be categorised as "fake news". A flurry of "GDPR experts" - some of them helpful, others compounding the confusion - have surfaced over the last year.
It is time to separate fact from fiction. If the misinformation goes unchecked, you risk losing on business opportunities to the competition. This presentation will debunk the most common myths and set the record straight.
4. Wetherspoons just deleted its entire
customer email database - on purpose
And said it will stop sending all email
newsletters
July 2017
5. Myth #1
You won’t be able to send
marketing emails anymore or will
have to delete your database
6. Wetherspoons just deleted its entire
customer email database - on purpose
And said it will stop sending all email
newsletters
July 2017
7. “We felt, on balance, that we would
rather not hold even email addresses
for customers.
The less customer information we
have, which now is almost none, then
the less risk associated with data.”
9. Wetherspoons just deleted its entire
customer email database - on purpose
And said it will stop sending all email
newsletters
July 2017
10. What we did at VinciWorks
● Verify your legal basis (consent, legitimate interest)
● Delete worst contacts
● Honor unsubscribes with your life
● Monitor unsubscribe rates
● Deliver phenomenal value
14. Conditions for processing data
The person gave
explicit consent
To fulfil or prepare
a contract
There is a legal
obligation
(excluding a contract)
To save
someone’s life or
in a medical
situation
To carry out a
public function
There is some other legitimate
interest
(excluding public authorities)
1 2 3
4 5 6
15. Myth #3
Most staff don’t need to care
or worry about GDPR / It’s
something for your Data
Protection Officer to worry
about
16. What we did at VinciWorks
● Conduct a DPIA with all staff
● Update employment contracts
● Update internal rules and policies
● Train all staff on the basics of GDPR
● Create a culture of sensitivity to users
21. Wetherspoons just deleted its entire
customer email database - on purpose
And said it will stop sending all email
newsletters
July 2017
22. VinciWorks and subject access requests
● Create a portal where people can fill out a form
● Stick to the timelines
● Automate what you can
● Build trust
● Create value
23. Myth #5
You’ll be fined 4% of global turnover for your first offence
Good Morning everyone.
Today I was going to dispel 10 GDPR myths but VinciWorks ran a GDPR webinar yesterday and we had over 800 registrations and over 500 attendees and we captured some great data that I really want to share with you today.
So I am going to brighten your day and dispel only 4 or 5 key myths, share what we learned yesterday and probably commit professional suicide by telling you why I think GDPR is actually good for business.
And even if you think I have gone nuts this presentation might at least give some of you sound bytes to help you better sell GDPR to the Board and get a bigger budget or help you get some buy in from Marketing and Sales to do what you ask of them.
Like others here this morning, I’ve been in the compliance business for a long time and I’ve seen the cycle before: Anti money laundering, anti-bribery, sanctions, diversity, tax evasion, modern slavery and now GDPR. A new regulations are announced and what happens?
The scaremongering begins, the ambulance chasers come out and a whole new breed of consultants start telling us to take action, spend money and do stuff they don’t really know we need to do.
Well if you are still in panic - Relax
This is a result poll from our Webinar yesterday. Only 2% said they were Fully Prepared and almost 40% said they hadn’t prepared at all. So feel proud or relieved – whatever works for you.
So let's get right to it with Myth number 1.You won't be able to send marketing emails anymore or you will have to delete your entire database.
Rubbish Right? Well it seems that someone gave JD Wetherspoons this advice and they followed it.
Wetherspoons is a UK national chain of pubs that is publicly listed with over £1.6 billion in revenue.
Now have some sympathy for Wetherspoon because in June 2015 they got hacked and had over 650,000 customers records stolen. So once bitten twice shy – right.
Well in July 2017 Wetherspoon deleted its entire user database including around 500,000 email addresses and said it will no longer send email newsletters to anyone.
What was their rational?
A Wetherspoons spokesman said: “We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”
Well its true that the best way to take no risk is to do nothing - but for most of us communicating with our clients and prospects via email is a critical part of our marketing strategy and its justified.
The ROI per dollar spent on email marketing is nearly double the next best option - SEO. So if Wetherspoon is going to stop all email marketing but still market online they are going to have to double their marketing budget to achieve that same ROI.
Now I am not saying Wetherspoon were wrong – they are a successful company that knows their business. As I am sure are all of you.
So this is an interesting poll result from yesterday’s webinar – half the people haven’t decided and around 25% are going to ask for consent – and yes around 4% intend deleting what they have.
The truth is that no one will have a complete understanding of the regulations until they are tested and that’s going to take some time.
We at VinciWorks have no greater insight that the rest of you but I thought it might give you food for thought if shared with you how we at VinciWorks responded to these myths remembering that every business is different.
You may have well have valid bases for processing personal data and take a very different approach to us.
First, which you all must do. We took advice. Then we started with a Data Audit. It took time and effort to look at all the personal data we hold including both internal employee data and external prospect and client data.
1. With the external data we did an assessment and started deleting the worst or ‘weakest contacts’. These were contacts that had never opened any of our emails, never clicked on a link or had never engaged directly with us. We determined that by their inaction they had clearly signaled that they were not receiving value from us, they hadn’t consented and when we got real we recognized that there was almost zero likelihood that they would ever actually buy anything from us – so why keep this personal data .
We also assumed that they were the most likely to report us for data breaches, whether we committed one or not. So we did a Witherspoon and dumped it.
Interestingly we found that many of these weakest contacts had gmail.com or hotmail.com addresses.
2. Next we made sure we had an iron-clad process for managing unsubscribe requests. We absolutely didn't want to be sending emails to anyone that didn’t want to receive them – why would we? For sure THEY WILL NEVER BUY.
3. Another thing we started to more closely was to monitor our unsubscribe rates. Our typical unsubscribe rate is less than 0.5% and we learned that an increase to over 1.5% meant there was a problem and it was probably us who was doing something wrong.
4. And finally and most importantly we re-focused on delivering exceptional value from our marketing
We only communicate information that is of significant value to our customers. Its expensive to create great content and it takes time to get your head around giving away such high quality content away - for free. But it works. Give it away and get rich!
Most importantly it works in terms of generating great leads, up-sales and renewals and what is really cool is that from a GDPR perspective no one ever complains about receiving amazing value.
We don't do any telemarketing nor any cold calls.
All of our growth today is driven by delivering a constant flow of high value content.
The internet shifted the power in the buying decision from Seller to the Buyer.
We never know when the buyer is actually ready to buy
But by constantly delivering relevant high value content we hope to retain some level of ‘mindshare’, create a level of trust and
by so doing, hope be asked to sit at the table when the buyer is ready to buy.
GDPR has helped us purify our policies and impose processes that drive our growth.
You can’t store personal data.
There are lawyers and others in the room who can discuss this with much more authority than me but rest assured it is more than a myth, it is a lie.
Touching on just 3 conditions - what is true is that in order to process personal data, the data controller must have a lawful basis on which he can rely.
The most obvious is contractual - we provide compliance and risk management software to companies but we also offer compliance training to around 100,000 individual lawyers and accountants including some of you here is Cyprus – thank you! We have a contract with agreed Terms & Conditions and that contract gives us a lawful basis to process the related personal data.
Next is Consent. It’s common sense. Did the consent to you sending him stuff? We were nervous about asking for consent but then we realised we were more afraid of creating a detractor as opposed to a promotor. And so if people are not engaging with us we should assume they don’t consent - its safe and it’s right. It honours the individual and his or her rights.
.
I think the legitimate interest condition is most interesting because it allows for a lot of discretion particularly as to what is reasonable.
Bottom line we don’t want to fight with anyone. If we end up going to court no one wins and either way we lose the customer.
Your DPO may be the person you have “tasked” with achieving GDPR compliance. But GDPR is about people, it is about your customers and out your employees.
And in many organisations the DPO has never actually spoken to a customer
And unless your DPO is also your head of HR, do you want them having sensitive conversations about personal data with your staff? I didn’t.
Think about who in your organisation has access to or deals with ‘information’ relating to an identifiable person.
This includes a person’s name, identification number, location or online identifier such as email address.
In our company it was the HR Team, Office Manager, Finance Team, Marketing Team and yes, the Sales Team – everyone dealing with our prospects or customers. That is almost everyone.
So we decided all these people needed to take ownership and responsibility for the protection of data.
They will be the ones that cause us to breach the regulations, negatively impact the reputation of our business and ultimately lose our clients.
Our first step, was to complete a limited Data Protection Impact Analysis – we didn’t feel we were obligated to do this.
We don’t believe there is a high risk of us impacting on the rights and freedoms of a large number of individuals
but we are in the Risk and Compliance Management business.
So we undertook a Risk Identification process. We looked at the data we had and assessed if there was low, medium or high risk of a breach occurring.
We learned what most companies are learning:
We needed to review all staff employment contracts: we needed to reference the employees GDPR rights in their contracts and at the same time tell them what their obligations are as employees
We needed to and review and update our Terms & Conditions and many of our other policies and internal rules.
We also needed to ensure that some time would be taken at the launch of every new project to evaluate the project in the context of GDPR.
However what we really needed to do was to make data sensitivity an integrated part of the VinciWorks corporate culture
Same was as we are doing around harassment, diversity, bribery and risk in general.
This requires behavioural change and that requires good governance, great communication and consistent and ongoing training.
We were lucky because VinciWorks creates great online compliance training
So we deployed GDPR training to all staff
Training doesn’t have to be long, boring or difficult but it does need to be tailored to an individual’s role
Your team need to understand what GDPR is from their perspective within the context of their specific job role.
Another poll from yesterday’s seminar…A much more even spread around DPIA Data Protection Impact Analysis
Myth #3 You will swamped with data access request
Very quick on this. Subject access requests are not new. They have been around in the UK since the Data Protection Act in 1998 and in Cyprus since 2001.
The only difference is that now they are free instead of costing £10.
I would like a show of hands, how many people have ever processed a subject access request? Well you are in good company:
Swamped? I don’t think so
That said, we really liked the Guidelines on Transparency issued by the Data Protection Working Party.
So we thought it would be important for businesses to demonstrate our transparency and availability to our own staff and to our broader community of customers and prospects.
At VinciWorks we sell workflow tools that make it really easy to create online forms, approval workflows and registers. And so we are using this tool to create a simple online portal that is accessible internally and externally to our entire community. It contains one page or form which is a Subject Access Request form. If someone submits a request it alerts the DPO by email and sends the request into a mailbox which is supported by a workflow that helps ensure the appropriate person responds to the request within the required timelines.
Is this essential? Is it regulated? Probably not. But it relieves the DPO from some of the more arduous tasks and we see this as an opportunity to demonstrate to our community that we care, that we are open and available - and we are not doing the same thing in regard to whistleblowing, harassment, complaints, gifts and GDPR breaches.
It’s a headline grabbing threat designed to leave you shaking at your keyboard, fearful that one wrong keystroke will siphon off €20m, or 4% of turnover, whichever hurts the most. Typical maximum fines that can be levied under current data protection laws in Europe is peanuts in comparison, £500,000.
If the Regulators applied the maximum fines then some of the biggest fines would balloon under GDPR rules. TalkTalk’s 2016 fine of £400,000 would become nearly £60m
However GDPR is not about fines. The ICO has made clear that maximum fines will not become the norm, nor will examples be made of big brands for minor infringements. As they’ve said, they prefer the carrot to the stick. The UK ICO’s record stands to reason. In 2016/17, the regulator dealt with over 17,000 cases. Only 16 resulted in a fine. I am not certain but from the research I did do it seems the ratio and certainly number and amount of the fines have been much lower here in Cyprus.
There seems nothing to suggest that this will change under GDPR. The regulator has a range of tools available on a tiered basis, starting with ordering audits, issuing warnings and reprimands, demanding compliance and launching investigations. GDPR, is focused on getting data protection right for citizens, not fining businesses to within an inch of their profit margin.
So my time is almost up.
Let’s summarise: Of course GDPR is about the regulations but I hope I have made the point that GDPR can also be seen as an outcome of the shift in focus to Customer Success and Customer Care.
As customers we know that. As customers we all get massively upset when we gets spammed, we get angry when we unsubscribe and then keep getting emailed and then we go ballistic when those telemarketing guys call us during dinner.
Well if we as businesses want to create customer loyalty then surely GDPR simply becomes the benchmark minimum standard for caring about our customers’ data.
In today’s global networked marketplace the Customer is constantly asking themselves why they should buy from us. And so attracting and keeping a client is only partially derived from the quality of the products and services we sell but is probably equally if not more derived from the relationship they feel they have with the company. And like all relationships it is built on trust, value and respect.
Clearly we all need to achieve regulatory compliance and all the people presenting here today are here to help.
VinciWorks can help in many ways around training and data collation, analysis and reporting but it is my belief and experience that if you apply common sense and focus on the three pillars of customer success - trust, value and respect then GDPR compliance becomes easy and obvious –
GDPR compliance will actually enhance the quality of your offering, your relationships and ultimately your bottom line.
We have set up a portal with a comprehensive GDPR resources at vinciworks.com/GDPR including links to training, policies, templates, guides, assessments and bunch of other stuff all freely available to you. Take our your phones and take a quick look now. Enjoy and thank you.
Have a great day.
We have set up a portal with a comprehensive GDPR resources at vinciworks.com/GDPR including links to training, policies, templates, guides, assessments and bunch of other stuff all freely available to you. Thank you and have a great day.