After months of very little news, GDPR has now taken centre stage.
With numbers more eye-wateringly expensive than the latest football transfer saga, British Airways and Marriot hotels now find themselves hundreds of millions of pounds poorer for failing to treat consumer data with respect.
A change of legislation now means that the ICO are able to issue largely uncapped fines, revenue that is rumored to be heading straight into the coffers of the ICO itself. The Marriot fine was interesting because it related to data from 2014, through a business that Marriot acquired. What is now clearer than ever is that ignorance will not be an acceptable excuse for a data breach.
Given the amount of data involved in financial services, I think it’s very likely that the next headline will feature, a bank, an insurer, a network or a brokerage.
What does this mean for your data? How can you protect your business? There are three questions you should consider:
1: Is your data, what you think it is?
Question: British brokers handle hundreds of millions of lines of data every year. Whether that’s online lead generation, co-registered surveys, referrals or simply enquires to their own websites. The question that the ICO has for you is do you truly know where that data has come from? Do you have audit measures in place that does more than just ask awkward questions now and then, can you prove absolutely that ‘lead A’ comes from ‘website A’ complete with all the relevant marketing permissions and consent?
Solution: This is a really tough one for brokers because marketing firms are so reluctant to share their landing pages. It’s time to get tough and demand transparency from your marketing suppliers or withdraw your custom. Unless you know for sure where a lead has come from, you are at risk of data breach fine. The first thing the ICO will ask you to prove in the event of customer complaint is that you are fully aware of the customer journey, IP address and consent.
2: Do you have robust processes in place that can detect fraud?
Question: If you buy any sort of customer enquiry, you’ll know (and will probably be sick of hearing) that consumers will often say, “oh I didn’t make an application”. If a landing page is “quote focused” a consumer will often just want to receive that quote online. But what happens if that specific consumer really didn’t make an enquiry and you’ve been sold fraudulent data. How will you know?
Solution: Data will tell you the truth if you ask the right questions. If you are consistently getting feedback from leads you purchase along the lines described above, is there a pattern of when and how you get those leads, and from who? If you aren’t skilled in the ways of Excel, do you employ someone who is or can you hire someone for a set budget each month? Advances in artificial intelligence now make detecting fraud straightforward and there are numerous technical solutions you can buy in. The most important point is, can you prove to the ICO that you are regularly checking?
3: How do you hold data?
Question: If you’ve invested the time to work with compliant data suppliers who are transparent about how they generate the customer and who you regularly audit and check for fraud, are you ok then? I’m afraid not. What you do with the data once you have it might be the most important part. How is customer data stored? Do you have a data compliant system or do excel sheets of personal customer data still fly around your office like a pre GDPR Wild West?
Solution? Using a CRM is only as good as the inputs you put into it. A CRM that can interpret when a lead has the right marketing permissions and automatically deletes the data when those permission expire is what you should be aiming for. If you are inspected by the FCA or indeed the ICO, they will specifically ask to see how you attribute data sources and will ask you to show them how you know when it’s time for data to be deleted.
The data security climate is changing and the ICO mean business, but many brokerages I’ve spoken consider themselves too small to be of any interest to the ICO. I think this is completely wrong; the problem, like the famous phrase suggests, will start at the top of the hill and roll downwards. I think a possible financial services fine will start with an insurer, bank or funeral product provider who will then point the finger of blame at a network who will in turn point at an intermediary.
Solving this problem doesn’t have to be time consuming or expensive, regulation and compliance technology is common. With hindsight, I imagine the Directors of Marriot and British Airways would rather have taken the problem seriously rather than having to write a combined cheque for £300 million!