Channel Doctors’ July & August Compliance Newsletter, with all the regulation and compliance news customer-focused professionals need this summer.
- The ICO says your website is probably non-compliant (all of a sudden)
- Long-awaited ‘GDPR era’ fines put a potential £183m price on data breaches
- EE fined £100k by the ICO for confusing marketing comms with service messages (and the ICO also reveals that it thinks repeating a message means you’re marketing)
- Dyson’s TV ad rapped for a hidden plug
- Home security firm fined £90k for assuming too much & checking too little when telemarketing
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5
Have you heard about the Culpability Index (c) ? Probably not, because I’ve just invented it after taking a more detailed look at the Information Commissioner’s Office (ICO)’s announcements last week of its intention to fine British Airways and Marriott £183m and £99m respectively for their data breaches.
In the space of two days, last week, the ICO brought the long wait for the UK’s first “GDFP Era” fines (if we disregard the action against SCL aka Cambridge Analytica) well and truly to an end. In fact if they had continued at that rate every working day for a year then the ICO could raise a much-needed £36.7bn for the Treasury.
Opinions vary as to whether the BA and Marriott level of fines (at least 200 times larger than any previous ‘pre-GDPR’ penalties, remember) were to be expected, or just an ‘opening shot’, likely to be reduced either in consultation with the other European data protection regulators, for which the ICO acted as lead regulator, or on appeal. But either way, 8 or 9-figure fines are way beyond the ‘slap on the wrist’ level big brands falling foul of the ICO have grown used to.
That said, the ICO’s decision making process seems typically unclear. BA’s data breach involved the personal data of far fewer EEA data subjects than did Marriott’s (500,000 vs 30 million), but the effective “cost per data subject” for BA was £366 – over 100 times greater than Marriott’s, even though from the information publicly available the sort of data involved was quite similar.
So, why was BA’s failure so much ‘worse’ than Marriott’s? Well , at this stage its hard to tell. The penalties are only proposed at this stage, so the ICO hasn’t provided any detailed explanations for their decisions. But even when penalties are confirmed it’s often not at all apparent why the ICO takes action enforcement action in specific cases and when they do, what it is that decides the level of penalty imposed.
When the ICO is planning to impose penalties running into the tens and hundreds of millions of pounds, however, they will need to. When data breaches occur arguably one of the key considerations is the breached organisation’s culpability. Perhaps the ICO’s view is that as Marriott’s breach was from the cyber insecure database inherited as part of its purchase of Starwood in 2016 then it’s mainly guilty of a lack of proper due diligence. In contrast, anecdotal evidence from within BA suggests that its data security failings were systemic, long-term and predictable – and therefore BA’s culpability was considerable.
Anyway, we’ll see what happens – and if anyone from the ICO’s reading, you can have the Culpability Index (c). For a small consideration.
(If you’re interested in this sort of thing, sign up to receive our Monthly Compliance Newsletter; dedicated to summarising regulation and compliance news and changes for people with more important things to worry about)
£366 per person
That’s the equivalent price British Airways (parent group IAG) will have to pay if the ICO decides to uphold it’s interim announcement to fine BA £183.39m as a result of the airline’s 2018 data breach which exposed the personal details of 500,000 customers.
Impressively that’s even more than the £133m that yesterday’s negligible 1.5% drop in IAG’s share price shaved off its total market capitalisation (though the share price has been sliding recently, anyway, due to lower profits and the threat of strike by pilots).
So, the ICO has levied its first (non Cambridge Analytica-related) ‘GDPR era’ fine, using the 2018 Data Protection Act. What can we learn from it? Well, it’s no surprise that it’s for a data breach or that BA are a suitably ‘big name’. £366 per person whose personal data is breached would be a frighteningly high yardstick for most organisations which still hold lots of data on people they derive little commercial benefit from. But the fact that £183m is about 1½% of BA’s turnover might be more indicative and meaningful.
In any event, it may be time to have another cyber security audit!
And why not sign up for our Monthly Compliance Newsletter:
I just called Nationwide‘s insurance number (0800 145 6060). My call was answered straight away and had my question about a quote knowledgably and helpfully resolved. The call lasted 5 minutes and 20 seconds. However, the first 1 minute and 43 seconds was taken up with up-front recorded messages.
That’s one third of the whole call, during which time I wasn’t having my query resolved, experiencing the good service I went on to receive and not able to interact at all – unless I pressed 1 to say that I didn’t want Nationwide to ask me how the call went afterwards.
In fairness to Nationwide (or more likely RSA which is their insurance partner), the messages about data protection, Nationwide’s commercial deal with the underwriter, credit checks, etc, weren’t awful examples of legalese – I’ve heard far worse – and no doubt there are good compliance reasons for having them all.
But then again, I only started half paying attention to the messages half-way through because a) it’s my line of work, b) I thought I could blog about it.
Really, there must be a better way!
€57bn. That’s how much business 451 Research estimates could be lost as a result of the implementation of Strong Customer Authentication (SCA), this autumn.
According to a paper commissioned by payments firm Stripe – who aren’t what you would call a disinterested observer, to be fair – the new requirements stemming from the EU’s Second Payment Services Directive (PSD2) may reduce EU-wide ecommerce revenues by 10% or €57bn annually.
SCA broadly means that consumers will have to verify their identity more often when making online payments. SCA will be mandatory from September, but (unsurprisingly) according to 451 most people have never heard of it- and nor have a lot of merchants selling online.
So, if you don’t want to be hit by confused customers and a 10% drop in online sales this autumn what should you do? Well, SCA’s all rather complex (no surprises there), but there’s plenty of guidance available online and for starters I’d have a read of this introduction to PSD2 from the DMA Contact Centre Council (by Ultracomms‘ Tom Davies) and have a word with your bank or payment processing provider.
Channel Doctors’ June Compliance Newsletter, with all the regulation and compliance news for customer-focused professionals.
- PayPal, Apple, receipt rolls and microscopes all come under the CMA’s spotlight
- ICO orders HMRC to ditch 5m biometric voice records
- Latest ICO fine again highlights the dangers of using 3rd party lead gen sites
- A botched new billing system lands Plusnet on the Ofcom naughty step
- €57bn loss in online sales due to new payment rules (claims an entirely unbiased payment services provider)
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5
A recent survey of nearly 1,000 customer service professionals globally by Incite Group (‘2020 State of Customer Service’) found that 38.2% claimed to reply to customer service requests within one hour.
On the face of it, this is an impressive stat; only a few years ago very few organisations would reply to customer requests within the day (and in fairness, many still struggle to do so).
However, the same research found that over 30% of organisations hadn’t yet even started to offer social customer service. In a world where social is the channel of choice for growing numbers of consumers this perhaps casts the first finding in a slightly different light. Are customer service professionals who strive for excellent response times on communication channels which are becoming less meaningful, while not embracing new channels, running the risk of just “building a faster horse”, to quote Henry Ford?
Certainly, over the age of 35 it seems that consumers increasingly regard personalised advertising more negatively than positively.
So, brands firstly need to steer clear of ‘uncanny valley’, seeming to know too much about consumers and getting ‘creepy’. Instead they need to focus on appropriately utilising the data and insights they do have on customers and prospects – very often the data that’s shared face-to-face and in contact centre conversations, but isn’t captured to customers’ and brands’ mutual advantage
According to the Top Companies for Customer Service‘s ‘Baseline Benchmarking Report 2018′ less than half of social media customer service agents’ knowledge was considered to be Excellent. The research was conducted by GfK and assessed scores of major brands (and found that the ‘Top 50’ group members performed significantly better)- but is ‘Excellent’ product knowledge too big an ask?
I don’t think so.
No brand has ever been forced to deliver customer service over social channels; it’s a choice. Social is a very public world and it’s users are often emotionally engaged and short of time and/or patience. Brands SHOULD be the experts in their products and services! If their customer service teams aren’t then they should maybe stop trying to provide customer service on social. See what we think – and watch the video at www.channeldoctors.co.uk/cx
Businesses which maintain accurate, relevant data enjoy 12% higher revenues and 40% better results from targeted marketing campaigns than their less organised peers.
This National Audit Office (NAO) finding was cited by 9 Group‘s Paul Buckle at Osborne Clarke‘s ‘GDPR…One Year On’ event in Bristol on Tuesday. Paul explained how data like this helped him form the value and business case for GDPR/DPA 2018 compliance – making good data management a business driver, not a drag on progress.