I'm going to talk for ten or fifteen minutes, just pitch it and ask questions whenever you want. I'm going to talk about a few things together. GDPR is something which is looming. Does anyone not know what GDPR stands for? Would anyone else like to a couple over here? It sounds for general data protection regulation the implications are pretty vast. Most of our clients will, I'll very quickly tell you a bit about what we do. I'll tell you a bit about how we use HubSpot, why GDP has become quite important to us in a number of ways. We're a technology company primarily. We've built software to help charities and not for profits do raffles and lotteries online. So, I know that that just giving is to be part of the blackboard group very soon. We are setting out to do for charity, Raffles and lotteries what, what just giving is done for the sponsorship form. An awful lot of it happens by paper. You get it through your, through your door. We're helping charities bring that online. We also worked with football clubs and anyone who's raising money for good causes through raffles and lotteries. That means we deal with an awful lot of people's data and we do it as a primary function. We do it securely, we do it in a compliant way and we have really, really big horrible pieces of legislation to sift through. I have two gambling licenses plus my name is on the register at the gambling commission as a fit and proper person. I don't know how I squeaked through that. I they go through everything and rightly so because we are tested to the same level as a casino or an online bookmakers but the end of the day we just help charge these sell raffle tickets online.
And the other side of that is we take payment online as well. So we're governed by PCI DSS, a card payment. We have to keep your transaction secure when we're passing your credit card information across. So a big part of our business is telling our clients that we're compliant, that we're secure and we have a fantastic team who have built a very secure. I'm forward thinking platform. Now then we started getting our house in order in terms of how we attract our customers. And we heard about Hubspot and I guess I'm quite naïve because I filled in a few things online. I was looking at inbound marketing and then I just started getting this fantastic content, but started arriving just when I was thinking about certain things and I had a call from a really nice guy in Ireland who talked me through some stuff.
I put the phone down and said, right guys, we've got to do what they're doing. This company is amazing. And then I realized that they were using their own platform and their own method to sell to me. It became very compelling. So we began working with hubspot and I said, look, we don't have the first clue about any of this stuff. Can you recommend someone? And they said, well, there's someone in your area. They reeled off the address and post code. And I realized that the guy that I'd seen the corridor or making tea in the corridor and saying hello to, but I could literally open the door of my office and knock on his office without even stepping foot in the corridor. So we began working with Whitehat and it's been a really interesting journey now for us because of our commitment to compliance.
Because of the fact that GDP was already coming and because of the fact that we primarily work for charities and not for profits who frankly had a kicking in the media over the last couple of years, which I think mostly it wasn't deserved and I don't think they've done enough to defend themselves, but you'd have heard of big high profile cases like Olive Cook, the, the lady who apparently was harassed to her death in Bristol, despite the fact that her family repeatedly said that there were many other issues and that, that wasn't really one of the main factors. Anyway, a poor vulnerable elderly woman and the Daily Mail had a pretty much a hate campaign as far as I could see against the charity sector that's made the sector, is anyone here from, from a charity or work with charities, great.
Now you're living in challenging times, you're under a lot of scrutiny. Particularly with GDP are coming in. I think everyone come may next year. That is going to be a few high profile cases to add to the ones that are already backing up. Hopefully some of those high profile cases will be, you know, Coca Cola or a Facebookor other companies that ride rough shot over a data, put a microphone in my hand Clwyd and what do you expect? So we wanted to get the most out of Hubspot as an inbound marketing tool, cement our position as a leader in compliance as a safe pair of hands, as a secure outfit who understands the value of data. And we realized that all of the stuff that we had over here in terms of how we operate our own platform, how we safeguard our client's data and their downstream customers, was next door to useless when we started thinking about how we actually interact with people ourselves.
So we've been on a journey over the last six months to work out where our own data begins and ends and where our clients data begins and ends. We've had to learn a lot about GDPR. GDP essentially is replacing the old data protection act, that came in in 1998. It's the first major overhaul since that time. So it's far reaching because it has to be because we work, we communicate, we operate in a completely different way. We spoke with a barister who's an expert on cyber law, has written a book so weighty that I could use it to prop open the door of my office, in fact I have to own and have struggled to read the thing, but he knows what he's talking about. One of the first things he said to me was, data is the new oil.
It's being elevated. Your personal data is being elevated to the status of your home ownership or your car or possession and you will have the rights under GDP or to make sure that that obligation is met by anyone that you intersect or work with. Now when we started to look at how we use data and how we are, selling to clients, one of the first things was, well, if we put it in a contract that we are the data processor and not the data controller, then we can bypass all of some of that, you know, nasty stuff. It doesn't work like that. It's the proof is in the pudding. It's how you communicate with people and you can be more than one function at the same time. You can, you can have a contract to manage your client's data and then the minute one person calls you up and changes something on your data base or interacts with you or gives you something else that you need to do, like change a record in the database. They are your piece of data that you have to own and look after it. Manage and control that record and respect of the information commissioner's office. Just to get a sense of which organizations are in the room who here works for companies with fewer than twenty people there. OK, good. Smattering, few of them. Fifty more than fifty. OK, more than a hundred?
More than 500? Anyone on the footsie 500. So there's some there's a big range of different sizes here. What I've found is that when you get to over that kind of fifty to a hundred, the challenge is probably go this way because there's a whole lot of other things you have to deal with. Your less, you become compartmentalized again. You can be quite silo focused in the way the organization thinks and different departments can be left to their own devices to worry about how they navigate the GDP minefield. From where you're sitting. Are you primarily marketers? Do you own the inbound marketing sort of stuff? Are you the hubspot primary users? Most of you who feels that hubspot is that where you keep your data, who uses Hubspot as a CRM as a primary CRM? Who then has hubspot working with another CRM platform?
Who here feels that they've got GDP nailed come may next year? If the ICA knocks on your door, you're going to just be able to say, come in, look around, anyone feeling that confident. Who here feels is not really their department. I think it's going to become all of our department in a way. So I just wanted to just very quickly talk through how we got to where we are. I'm not going to start with saying where we are now, which is I'm not as far along as I'd hoped to be frank. I'm, we are constantly having to check back between different levels of compliance. An example of that is the gambling act. So because we're licensed, the gambling act is kind of our Bible. We had an inspection two weeks ago and the head of lotteries and the head of compliance descended on our office and they have the power to do anything, within the furtherance of the delivery of their inspection.
So obviously we're all kind of a flutter in the office working out how to kind of deal with this. You hear horror stories. One guy was the inspector just called the police mid inspection and the guy was just unceremoniously arrested and taken off. He wasn't exactly in our sector. I think he owned a casino and they found a machete, gaffer taped to the underside of his desk. So that's a man who has more enemies than I do, that's for sure. But we sailed through that and then we started to realize that there's a lot that they, you kind of think if you nail one big set of compliance, it might be specific to your industry than all the other stuff will fall into place. And the more we look at GDP or the more we realized that that's not the case.
The more we realize that you have to make some compromises and sacrifices to work between the different verticals of the different legislation that you operate in. So an example of that for us is that with gambling, we can't sell a lottery ticket to anyone who's under the age of sixteen and we have to age verify and we have to check people before they make that transaction. The best practice in the charity sector is that we can't sell a donation, or the option to donate to a charity to anyone who's under 18. I kind of think, well, one's best practice on the other is primary legislation. So I'm not going to tell my clients that they can sell to people that the gambling act says that they can sell to. Similarly in terms of how we manage and hold the data, we've had to learn a lot.
Extremely quickly and it's made us really go back over the way in which we use Hubspot to work out how we're holding data, how it's being passed around, how it's being retained. At the end of every day, you could, where you used to be able to go over to the people who deal with queries from our customers, customers. So how we build our reputation and maintain it is by making sure that when someone signs up to use our software that their customers are treated securely, we handle all the payment queries, we handle the customer support for their downstream customers. And then we did a bit of an audit and realized that they were pads on which you could see someone had called and had not updated their bank details or something and the person scribbles that down and then goes and amends it on the database, so all secure on the database, but it's still sitting on a pad at the end of the day.
So just locking down that kind of stuff. And if you're managing hubspot, if you're managing people who are interacting with you via Hubspot on the CRM there will be times when some of that data is probably written down on a pad or you know, these are the things you need to worry about. We're also working with, with Whitehat on understanding exactly how some of our concerns around GDPR post march will be dealt with within hubspot. We've recently taken a decision to just outsource, although we're only 11 or 12 people, were not required to have a data protection officer, but we're going to get one and we're doing that by having a service where we get a number of days a month, have a data protection officer. They will be registered to our company, they will do an audit and they will be responsible for making sure that our processes are compliant.
That's been really key for us because as we, a lot of our content in hubspot is about how awesome we are looking off the data and how great we are keeping card detail secure and we adhere to every letter of the gambling act, et Cetera, et Cetera, et cetera. So for us to maintain that wealth of the knowledge and it's, it speaks to Clwyd's point about how we as a small business have begun to disrupt the sector that we're in, most of whom have print management firms, most of whom don't have software. And we've done it by being quite niche in terms of how we create the Hubspot content, and it's all around the fact that we're a trusted pair of hands. We understand the technology, we understand security. Now, obviously the next six months is going to be instrumental in working out whether we actually do. Now in terms of where you're sitting with GDP my first advice would be do something, do something, do it quickly.
Get policies in place. Like all law, they don't give you the answers. They just give you a set of gray parameters that you have to operate in. For example, the right to be forgotten is a big central plank of GDP. No one actually knows exactly what that means or exactly how long their thinking because there's nothing put down. It's about what you can justify. And as this barrister said to us, if in May next year, the ICO knock on your door and say, right, where's your policies? If someone hasn't interactive with you at all what do you do with them? And if you said, well, we go back to them x number of times and after three years we expunge that record from our databases they might say, actually we were, you know, we think maybe that's a little bit long, but seeing as you have a policy, and seeing as it's all laid out, they're just going to say thanks very much. And they'll go and knock on the door, the person who isn't expecting them and doesn't have a ring binder with all their policies laid out. So just do something and make it look justifiable, not make it look justifiable, justify it and think through it and hopefully the ICO don't come a knocking any questions, you always have a question you are like Colombo.
It's my job, right? I'm the way I look at GDPR, it's a bit like the hard brexit thing, right? So you've got a date. Everybody's working towards that date and pretty much everybody I've spoken to is of the impression that nobody's going to be ready, or at least there's going to be a huge swathes of all different industries that are not going to be ready. What are the consequences of failure in terms specifically of fines and impact on our business because I don't think everybody has really picked up on the scale of some of this.
The best comparison is if you look at talktalk who got fined not that long ago for a significant data breach, it was a few hundred grand they were fined, it's been worked out and there's no way of knowing this until the ICU where to apply the new legislation. But had they committed the same set of infractions on the GDP, they're fine, would likely be somewhere around thirty to forty million. So that is a scary factor higher. It's also potentially open ended and the fines are just a percentage of worldwide turnover so not profit. It's again, as Dean Armstrong QC said to us, these used to be mistakes that might cost an IT director or a CTO, their job that now become coming issues that could cost a CEO their job or just kill the company, kill the business. Imprisonment?
Yeah, directors is another thing that all those annoying phone calls that you get from, from people that you don't know how they got your number in the first place and they're probably just put it through a dialer until it spits out a number. It used to be the case that they could shut down the company down, set up a new one from within the same building and carry on. They're now going to be able to go up and get the directors. With fines to the directors and potentially imprisonment as well. So if you're dealing with data, especially if you're a director of your company, this is something you really need to get your head around.