During the BNC Event Show, Noodle Live’s Chief Technical Officer, Glyn Roberts, was invited to take part in a panel discussion about GDPR. The General Data Protection Regulation comes in to force on 25th May 2018 and will impact anyone who gathers or stores data about their clients – in other words, all of us! At Noodle Live, we’ve been working with a team of lawyers to make sure that we are fully GDPR ready.
The new GDPR legislation is designed to protect all EU citizens (regardless of Brexit) and builds on existing data protection guidelines and adds additional opportunities for substantial fines when companies do not follow the regulations. In fact, you could be fined up to 4% of global turnover if you fail to comply.
Scary stuff! But the panel were unanimous in one clear message: if you follow the rules, you have nothing to worry about.
“Rather than seeing GDPR as a list of requirements, we encourage people to see it as an opportunity to look at the data you have and to think about how to use it in the most effective way,” said Mike Piddock.
He then asked Anita Bapat: “If you have a database of existing attendees stored on your systems, are you allowed to target them if the data has been captured in a non-GDPR ready way?”
“You need to look at the way the data was captured,” she responded. “What was their expectation at the time? Were they given any notice about what would be done with their data? If not, then it’s not GDPR readt, but you don’t have to get rid of the data altogether, you can look at ways to remediate that.”
“When you’re collecting data live at an event, at a booth, how do you make that GDPR ready?” Mike asked Glyn.
“When people attend an event they need to be clear what their data will be used for,” said Noodle Live’s Glyn Roberts. “It needs to be in plain English: we will use your data, we could share your data with an exhibitor. We usually do an educational piece with the exhibitors we work with. When you register or sign up for something, this information needs to be provided in a clear and precise way”.
“Data privacy hasn’t really been taken that seriously by corporations for a while,” continued Glyn. “The reason the GDPR has come about is so that it’s no longer the Wild West. The way companies use your data or store your data needs to be clear when you sign up. Places like Germany have very strict policies already. This is bringing the rest of Europe up to the same standard.”
Anita Bapat clarified just how broad the definition of data could be: “Pretty much anything to do with a person is personal data. It currently has a wide definition under UK law. It includes name, email addresses, it also includes other online identifiers like IP address, because in combination with other information that could enable you to identify someone.”
“If someone hands you a business card, is that data?” asked Mike Piddock.
“It’s all to do with the context in which someone gives you their details,” Anit replied. “Under the current system that is implicit and implied consent. Under GDPR the threshold for consent is a lot higher. It has to be explicit. You would have to get some sort of opt-in consent from them. A regulator wants you to show evidence that you’ve got consent, so implied consent isn’t good enough. It’s on you to show how you that you have consent. Under GDPR that applies to all data you store on your system, regardless of how you use it.”
Glyn offered some advice on becoming GDPR ready as a business. “At Noodle Live, we are a good way through our GDPR process. It has been a multi-stage process. We did a data map of the business which proved to be extremely valuable. You understand a lot more about your business when you do that. It’s a great education piece and I recommend it to everyone. In the second phase we created a roadmap to ensure the entire team understood GDPR and their responsibility. We then sought out lawyers to help us with the final stages and finally, we did a full review to make sure we are fully GDPR ready.”
“There are companies who are considering creating a check system and a banner to show that you are GDPR read. You need to be able to show that you’ve taken all necessary measures to have a GDPR defensible position. If you do that, your ability to be fined should be minimal.”
“What about bought data?” asked Mike Piddock.
“You need to be very careful that the person you are buying the list from is allowed to use that data and has been GDPR aware,” said Anita Bapat. “When you then market to that list you need to explain who you are and offer an opt-out option at that stage. Always check the context in which you have collected that information. What notice did that organisation give when collecting that data? If it doesn’t match up, you may have to go back and make that data compliant retrospectively.”
Mike Piddock shared an anecdote about a lady who worked for a charity. She looked through their data and realised that a lot of it was not GDPR ready, so she decided to remove a lot of it, effectively halving the charity’s database. She decided to act fast and effectively and not to cut corners. They have lost data, but they are now going to build a GDPR defensible database and will avoid running into future problems.
Anita shared a story about a major international business who were fined after sending out an email asking if people were happy to receive emails from them. They were trying to ensure they received consent, but these same people had previously opted out of receiving emails, so the company were fined by the regulators. “If you are not sure about where you got the information, don’t use it,” said Anita.
“Honda were also fined,” Anita continued, “they did have a database but it had been filled out badly. Someone had put an ‘x’ in the ‘does this person want to receive marketing emails’ box and no one could tell whether that meant yes or no. They went ahead and sent the email out, but it turned out the ‘x’ meant no. That’s a good example of how thorough you have to be. Under the current UK data protection regulations you can be fined up to £5k. Under GDPR it will be up to 4% of global turnover, which is huge. There will also be an increase on the compensation that can be claimed. People can claim compensation from you a lot more easily. You don’t need to show damage anymore. You also have the ability to take class action suits, so this is very important.”
Mike Piddock agreed. “If you are asked for proof that people have given consent to receive communication from you, you need to be able to provide that proof quickly – that’s what it’s all about.”
Glyn highlighted some of the dangers businesses face under GDPR: “It’s now a lot easier to test whether a company is GDPR ready or not. Consumers can ask to see the data you are holding about them. They can then ask for any or all of that data to be removed and as a business, you have 72 hours to wipe it from your system. After 72 hours they can make another request to see the data you have on record about them. If you still have data, you have breached the regulation and they can gather grounds for a class action suit.”
“That is why it’s so important to ensure that your data is centralised and easy to access,” stated Glyn. “At Noodle Live, we are working on a system that will automatically send that data autonomously. That means we don’t have to be constantly on guard and ready to answer requests within 72 hours. The system will handle itself, which will make our lives a lot easier.”
Glyn also pointed out that you need to be particularly cautious when storing data on a moveable device. “It all needs to be encrypted because if your device was stolen you risk a security breach.”
As the discussion came to a close, Mike invited each panel member to offer a top tip on GDPR.
Emily Magee: “This isn’t scary! It sounds terrifying, but it’s likely that your systems already cover some of these regulations. Don’t forget that most of the people on your marketing lists probably want to come to your events. Just be transparent and responsible about the ways you store and use data. Always be transparent about the ways people’s data will be used.”
Glyn Roberts: “I found the data mapping piece very valuable. It helped us understand all parts of our business. If you create a data map, share it with the entire team so that everyone can benefit”
Anita Bapat: “Figure out what data you have and then how you got hold of it. That’s the only way to understand if it’s GDPR ready.”
Mike Piddock: “Consider this an opportunity. Your clients will value the fact that you’re going to them and telling them you are in control of this and that you’re working out ways to make sure they stay GDPR savvy. Use it as an opportunity to stand out and show that you care about this issue.”