Customer databases may soon become more trouble than they are worth
In June 2015, UK pub chain JD Wetherspoons was hit by a cyber attack. More than 650,000 emails and some staff details were stolen. When the breach was discovered, the company's founder and chairman sounded an interesting note on security. "As far as I'm concerned, there's no need for Wetherspoon to hold customer information in future," said Tim Martin, promising that the company would "try to store the absolute minimum amount".
And last week, Wetherspoons, founded by Tim Martin, came good on that promise when it announced it was deleting its entire email database. Chief executive John Hutson explained why in a final email to customers.
"Many companies use email to promote themselves, but we don't want to take this approach, which many consider intrusive. Our database of customers' email addresses, including yours, will be deleted. In future, rather than emailing our newsletters, we will continue to release news stories on our website."
"Thank you for your custom," the email concluded, "and we hope to see you soon in a Wetherspoons pub."
Some might see the destruction of such a valuable database as drastic. But given the risk and overheads associated with storing personal information, you can't argue with a focus on getting bums on seats, rather than emails into a database. And the cost of keeping data is only going to get more onerous with the onset of the EU's new General Data Protection Regulation, or GDPR, in May of next year.
The GDPR applies to any business that keeps data on European customers. Any business that uses such data for marketing or other purposes must have that person's unambiguous consent and must keep an audit trail that proves the customer hit all the relevant tick boxes when their data was collected. Consumers will also be able to demand details of all the personal data that marketers keep about them, including how this data is used. As a result, marketers need to get ready to justify every piece of data that they have collected and how it is used. They also need improved systems for retrieving datasets quickly when requested by consumers.
There may be trouble ahead for those who don't. Trouble means fines. When the GDPR comes into effect, companies that are found to be non-compliant are facing a two-tiered approach to sanctions. Lesser incidents could result in maximum fines of either €10m or 2pc of the company's global turnover, whichever is greater.
More serious violations could result in fines of up to €20m or 4pc of the company in question's global turnover; again, whichever is greater.
Aside from the fines, there is also a risk of reputational damage and loss of customer trust. For some companies. data breaches are a PR disaster waiting to happen.
So what should companies do and should other companies be looking to follow Wetherspoons' lead?
Well, the first step is the application of some common sense. Hoarding data for vague or intermittent marketing is no longer worth it. Businesses should be examining each and every dataset, whether it's emails, cookies or other personal information to ensure the cost of maintenance is less than the revenue they deliver.
For some, the risk may outweigh the return. These companies may decide to take the Wetherspoons route at this point. Everyone else who chooses to hold onto their data needs to get their houses - and databases - in order.
That means companies need to audit the permissions and consent associated with each customer and interrogate how they are currently being stored and processed within their CRM platforms. This could result in some uncomfortable conversations over ownership in some companies, where the IT function still retains control of customer data.
Where consent cannot be proven or the provenance of existing data is unknown, companies may need to delete records or risk fines. They also need to review current data-collection processes to ensure consumers have full control over the permissions around the data they provide. Another recommended step is a review of contracts with third parties; data processors and providers.
The line that data is the new oil has become a bit of a cliché at this stage. But perhaps it's more apt than it seems at first glance. Yes, data is the fuel for a new digital economy. But like oil, it's got a risky side. It is expensive to extract, refine and keep - and disastrous if it leaks.
Dublin Information Sec 2017, Ireland’s cyber security conference, addresses the critically important issues that threaten businesses in the information age. Tickets for the event at the RDS in Dublin can be booked here.
Sunday Indo Business