We’ve done a podcast!
Last week, The Hidden Edge‘s Laura McHarrie of The Hidden Edge and Nigel Davey of SME Needs invited me to join them on one of their Sound Business Advice podcasts. We chatted about customer engagement, behavioural insights, new technology, data and how to treat it…
November’s Monthly Compliance Newsletter
Daniel Defoe said death and taxes are certain – and so are regulation and compliance. But they’re not always clear or obvious. Let’s try and help…
This month’s headlines:
• The ‘tracksuit tycoon’ calls foulon Nike & Adidas
• The ICO looks to seize dodgy marketers’ assets
• Two nuisance call directors banned for 6 years
• The Fundraising Preference Serviceisn’t preferred by many people, it seems
• Deliveroo can’t deliver to space – official
• Is DRTV the retro-marketing salvation for marketers with GDPR-diminished databases?
• Tread carefully when setting up Google Ads warns the ASA
Channel Doctors Monthly Compliance Newsletter – November 2019_compressed
Download
or subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5
October’s Monthly Compliance Newsletter
Here’s our October Compliance Newsletter, packed with the regulation and compliance news customer-focused professionals need to know (without the boring bits).
This month’s headlines:
- Is the ICO crowd-sourcing cookie compliance?
- CMA takes on Salesforce
- Home improvements firm fined £150,000 for calling TPS numbers
- Research shows marketers’ data privacy understanding getting worse
- RNLIditches its consent-only fundraising stance
- Burger King‘s milkshake tweet upsets the ASA
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5
September’s Monthly Compliance Newsletter
Our September Compliance Newsletter, with all the regulation and compliance news customer-focused professionals need while the nights draw in…
This month’s headlines:
- Subject Access Requests – rip up the process as they’ve got quicker and trickier
- Cold calling culprit gets struck off for 5 years
- Fake Mo lands vaping firm in hot water
- 3 more years for the DMA and the TPS
- £160,000 fine for boiler firm calling opted-out consumers
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5
July & August’s Monthly Compliance Newsletter
Channel Doctors’ July & August Compliance Newsletter, with all the regulation and compliance news customer-focused professionals need this summer.
The Headlines:
- The ICO says your website is probably non-compliant (all of a sudden)
- Long-awaited ‘GDPR era’ fines put a potential £183m price on data breaches
- EE fined £100k by the ICO for confusing marketing comms with service messages (and the ICO also reveals that it thinks repeating a message means you’re marketing)
- Dyson’s TV ad rapped for a hidden plug
- Home security firm fined £90k for assuming too much & checking too little when telemarketing
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5
The Culpability Index (c)
Have you heard about the Culpability Index (c) ? Probably not, because I’ve just invented it after taking a more detailed look at the Information Commissioner’s Office (ICO)’s announcements last week of its intention to fine British Airways and Marriott £183m and £99m respectively for their data breaches.
In the space of two days, last week, the ICO brought the long wait for the UK’s first “GDFP Era” fines (if we disregard the action against SCL aka Cambridge Analytica) well and truly to an end. In fact if they had continued at that rate every working day for a year then the ICO could raise a much-needed £36.7bn for the Treasury.
Opinions vary as to whether the BA and Marriott level of fines (at least 200 times larger than any previous ‘pre-GDPR’ penalties, remember) were to be expected, or just an ‘opening shot’, likely to be reduced either in consultation with the other European data protection regulators, for which the ICO acted as lead regulator, or on appeal. But either way, 8 or 9-figure fines are way beyond the ‘slap on the wrist’ level big brands falling foul of the ICO have grown used to.
That said, the ICO’s decision making process seems typically unclear. BA’s data breach involved the personal data of far fewer EEA data subjects than did Marriott’s (500,000 vs 30 million), but the effective “cost per data subject” for BA was £366 – over 100 times greater than Marriott’s, even though from the information publicly available the sort of data involved was quite similar.
So, why was BA’s failure so much ‘worse’ than Marriott’s? Well , at this stage its hard to tell. The penalties are only proposed at this stage, so the ICO hasn’t provided any detailed explanations for their decisions. But even when penalties are confirmed it’s often not at all apparent why the ICO takes action enforcement action in specific cases and when they do, what it is that decides the level of penalty imposed.
When the ICO is planning to impose penalties running into the tens and hundreds of millions of pounds, however, they will need to. When data breaches occur arguably one of the key considerations is the breached organisation’s culpability. Perhaps the ICO’s view is that as Marriott’s breach was from the cyber insecure database inherited as part of its purchase of Starwood in 2016 then it’s mainly guilty of a lack of proper due diligence. In contrast, anecdotal evidence from within BA suggests that its data security failings were systemic, long-term and predictable – and therefore BA’s culpability was considerable.
Anyway, we’ll see what happens – and if anyone from the ICO’s reading, you can have the Culpability Index (c). For a small consideration.
Let’s talk.
(If you’re interested in this sort of thing, sign up to receive our Monthly Compliance Newsletter; dedicated to summarising regulation and compliance news and changes for people with more important things to worry about)
£366 per Person
£366 per person
That’s the equivalent price British Airways (parent group IAG) will have to pay if the ICO decides to uphold it’s interim announcement to fine BA £183.39m as a result of the airline’s 2018 data breach which exposed the personal details of 500,000 customers.
Impressively that’s even more than the £133m that yesterday’s negligible 1.5% drop in IAG’s share price shaved off its total market capitalisation (though the share price has been sliding recently, anyway, due to lower profits and the threat of strike by pilots).
So, the ICO has levied its first (non Cambridge Analytica-related) ‘GDPR era’ fine, using the 2018 Data Protection Act. What can we learn from it? Well, it’s no surprise that it’s for a data breach or that BA are a suitably ‘big name’. £366 per person whose personal data is breached would be a frighteningly high yardstick for most organisations which still hold lots of data on people they derive little commercial benefit from. But the fact that £183m is about 1½% of BA’s turnover might be more indicative and meaningful.
In any event, it may be time to have another cyber security audit!
And why not sign up for our Monthly Compliance Newsletter:
103 Seconds You’ll Never Get Back
I just called Nationwide‘s insurance number (0800 145 6060). My call was answered straight away and had my question about a quote knowledgably and helpfully resolved. The call lasted 5 minutes and 20 seconds. However, the first 1 minute and 43 seconds was taken up with up-front recorded messages.
That’s one third of the whole call, during which time I wasn’t having my query resolved, experiencing the good service I went on to receive and not able to interact at all – unless I pressed 1 to say that I didn’t want Nationwide to ask me how the call went afterwards.
In fairness to Nationwide (or more likely RSA which is their insurance partner), the messages about data protection, Nationwide’s commercial deal with the underwriter, credit checks, etc, weren’t awful examples of legalese – I’ve heard far worse – and no doubt there are good compliance reasons for having them all.
But then again, I only started half paying attention to the messages half-way through because a) it’s my line of work, b) I thought I could blog about it.
Really, there must be a better way!
€57bn
€57bn. That’s how much business 451 Research estimates could be lost as a result of the implementation of Strong Customer Authentication (SCA), this autumn.
According to a paper commissioned by payments firm Stripe – who aren’t what you would call a disinterested observer, to be fair – the new requirements stemming from the EU’s Second Payment Services Directive (PSD2) may reduce EU-wide ecommerce revenues by 10% or €57bn annually.
SCA broadly means that consumers will have to verify their identity more often when making online payments. SCA will be mandatory from September, but (unsurprisingly) according to 451 most people have never heard of it- and nor have a lot of merchants selling online.
So, if you don’t want to be hit by confused customers and a 10% drop in online sales this autumn what should you do? Well, SCA’s all rather complex (no surprises there), but there’s plenty of guidance available online and for starters I’d have a read of this introduction to PSD2 from the DMA Contact Centre Council (by Ultracomms‘ Tom Davies) and have a word with your bank or payment processing provider.
June’s Monthly Compliance Newsletter
Channel Doctors’ June Compliance Newsletter, with all the regulation and compliance news for customer-focused professionals.
June’s Headlines:
- PayPal, Apple, receipt rolls and microscopes all come under the CMA’s spotlight
- ICO orders HMRC to ditch 5m biometric voice records
- Latest ICO fine again highlights the dangers of using 3rd party lead gen sites
- A botched new billing system lands Plusnet on the Ofcom naughty step
- €57bn loss in online sales due to new payment rules (claims an entirely unbiased payment services provider)
Download your copy here:
or subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5
