David Clarke is head of translation compliance and multi-lingual due-diligence at Today Advisory Services, an operational arm of Today Translations. A former Detective Chief Superintendent, head of the City of London Police Fraud Squad and specialist in counter-fraud measures.
Video Credit: BBC World News
You could be forgiven for thinking the letters GDPR and PECR are abbreviations for some acute respiratory virus that will suffocate every marketing agency and company that holds personal data. With fines of up to €20 million or 4% of annual turnover accompanying the Global Data Protection Regulations (GDPR) and hefty penalties for a breach of the Privacy and Electronic Communication Regulations 2003 (PECR), it’s easy to see how an unprotected company could be asphyxiated.
However, the focus on risks of non-compliance has overshadowed a good news story; that the rules are actually giving a huge, long overdue boost to responsible companies and helping them to win new deals. What they have done to turn regulation into an opportunity is simple, they have written and implemented strong data security policies and procedures, trained staff and got their management systems independently certified. These companies are then bidding for new contracts and procuring new third party suppliers who have the same controls in place.
Data Security Matters
The changes shouldn’t come as a surprise to businesses but bizarrely, they are a mystery to many. The requirement to protect data and privacy is not new, with the Data Protection Act 1998 (DPA) and PECR being on the statute books for many years. Every year, the Information Commissioner’s Office (ICO) has taken enforcement action, a recent case being against Direct Choice Home Improvements Limited that had been previously fined for making nuisance calls and failed to change its practices. The company was charged with an offence under s47 of the DPA. The case was proved in absentia and they were fined £400 and also ordered to pay £364.08, plus a victim surcharge of £40. “Ooh! that’s harsh,” I hear you say. Well fines are likely to be much higher in future.
The ICO has repeatedly told UK firms to respect customers’ data wishes and to conform to the DPA and PECR or else. In March 2017, the ICO fined airline Flybe and Honda £70,000 and £13,000 respectively for emailing customers who had opted out or never elected to receive email marketing from the companies. Sanctions of this size can be viewed as small change and a risk worth taking when the rewards from selling personal data and bombarding customers with unsolicited emails and calls are so lucrative. The fines available to the ICO from May 2018 should encourage organisations to be far more careful in the way they process data and understand their new duties to report.
Customers Want Great Service
This refocussing on the value of data makes business sense if the impact is going to be high. However, smart companies are seeing this as a major business opportunity. The new rules are necessary because customers have become fed-up with receiving marketing emails and calls, even when they purport to offer a great deal. Spam isn’t harmful like phishing emails, but they impact on staff productivity. A report by unroll.me showed the top 15 worst email spammers in 2015 send over 300 emails a year to a user.
Bothersome behaviour, even by organisations that customers might love, affects good relationships with customers. In the worst cases, bombarding citizens with unsolicited messages is akin to the ruthless tactics deployed by fraudsters. Every year, innocent people hand over billions of pounds to con-men who buy and sell ‘suckers lists’ that they use to target people with bogus investment and pension liberalisation schemes, imaginary tax rebates and fabulous FX deals. Collectively, this cold-call-culture has tainted public trust and fed the notion that the behaviour of businesses large and small is far from good.
Good Behaviour Builds Trust
Listening to customers and giving them what they want has always been the differentiator for a successful organisation. Today, customers want to trust others more than ever, be they businesses, charities, the media or political leaders. Circumventing data protection and privacy rules might generate hype and a few sales but like fake news, ultimately, it creates one thing: a huge trust deficit.
Rogue traders will rightly say that sneaky business practices have existed for centuries and legislation will not end this global phenomena. What was once a little sawdust added to the bread by the local baker is now a little horse meat fed into the international supply chain. Shady individuals operating on the world stage like to stress how rich nations grew wealthy by sharp practices. Top tier rascals believe they are above the law, seeing themselves as the modern Sir Francis Drake, adventurous buccaneers creating jobs and wealth for the nation and keeping a little percentage for their efforts.
Putting history to one side, the human and economic cost of modern financial crimes has been estimated and it is eye-watering. A report published in January 2018 by BDO reveals the total value of reported corporate fraud is rising by a staggering 538% over the last 15 years which suggests this seems to be part of an international trend. Insurance firm Hiscox reported that in 2016 cybercrime cost the global economy over four hundred and fifty billion dollars and that over 2 billion personal records were stolen. An issue highlighted by the Fraud Advisory Panel is how corporate scandals involving global brands are often perpetrated with the knowledge of senior leaders inside the organisations, and they somehow seem insulated from the consequences of their actions. It is noticeable too how so many of those companies embroiled in sagas did not have adequate procedures or basic security policies in place to protect them.
The GDPR aims to give power back to citizens by directing that organisations respect privacy, listen to customers and put proper controls in place to make security much stronger.
What Good Companies Look Like
Informed businesses have been beavering away for years to make sure they and their third-party suppliers are ready for GDPR and can show evidence of compliance. Their day has come, because legal and procurement teams demand evidence of data security controls when they issue tenders. Good companies now stand out from the crowd when they bid for projects. As a result, companies that can demonstrate they do the right thing are prospering. The charge is being led by some serious players, like Microsoft, law firm Pinsent Masons, and file sharing firm Box.com.
Good organisations have documented controls in place to protect data and privacy and they follow them. This makes them stand out from the crowd when they bid for contracts, especially in tenders that require evidence of adequate data security. The procedures give buyers assurance that the supplier can be trusted as a partner and thus strengthen the supply chain.
Many organisations will argue that the cost of adopting information security systems such as Cyber Essentials Plus and ISO 27001 is too costly or difficult and doesn’t warrant the investment. Achieving these standards requires investment but maintaining basic cyber hygiene doesn’t have to cost the earth and can protect from many common forms of attack. For example, keeping anti-malware software up to date with regular patching protects against phishing and ransomware attacks, such as the WannaCry attack that had potentially serious implications for the NHS.
Providing staff with training and regular updates on security is central to managing data security and helps keep staff motivated and alert. Thirty minutes discussing a data breach case study can help people to think twice when they receive an unusual email, apparently from the boss, instructing a payment to be made quickly. Working through this scenario as a light-hearted role play with staff is a great way to show how villains exploit technology to socially engineer a relationship. At the same time, it it empowers staff by seeing, hearing and practicing conversation techniques that build trust when staff talk with customers.
The rule breakers will always be a step ahead because they are desperate to win and will exploit every weakness. What they can never win are trust and respect; that is the preserve of the good that do the right thing and welcome GDPR.
Picture: BBC World News