GDPR is here. Does anyone not know what GDPR stands for? Would anyone else like to discuss it with me? It sounds like a general data protection regulation with vast policy implications.
Most of our clients will. I'll very quickly tell you what we do, how we use HubSpot, and why GDP has become essential to us in several ways.
We're primarily a technology company. We've built software to help charities and not-for-profits conduct raffles and lotteries online. So, I know that just giving will be part of the Blackboard group very soon.
We are setting out to do what just giving is done for the sponsorship form for charity, Raffles and lotteries. An awful lot of it happens by paper. You get it through you, through your door.
We're helping charities bring that online. We also worked with football clubs and anyone raising money for good causes through raffles and lotteries.
That means we deal with many people's data as a primary function. We do it securely and compliantly, and we have big, horrible pieces of legislation to sift through.
I have two gambling licenses, and my name is on the register at the Gambling Commission as a fit and proper person. I don't know how I squeaked through that.
They go through everything, and rightly so, because we are tested to the same level as a casino or online bookmakers. We help change these and sell raffle tickets online.
The other side of that is that we take payment online as well. So, we're governed by PCI DSS, a card payment system. We must keep your transaction secure when passing your credit card information across.
So, a big part of our business is telling our clients that we're compliant, secure, and have a fantastic team built and safe. I'm a forward-thinking platform. We have started getting our house in order regarding how we attract customers. And we heard about Hubspot, and I guess I'm pretty naïve because I filled in a few things online.
I was looking at inbound marketing, and then I just started getting this fantastic content. It began arriving just when I was thinking about certain things, and I had a call from a nice guy in Ireland who talked me through some stuff.
I put the phone down and said, "Right, guys, we've got to do what they're doing. This company is terrific." Then I realized they were using their platform and method to sell to me. It became very compelling. So we began working with HubSpot, and I said, "Look, we don't have the first clue about any of this stuff. Can you recommend someone?" And they said, "Well, there's someone in your area."
They reeled off the address and postcode. I realized I was the guy I'd seen in the corridor, making tea and saying hello. I could literally open my office door and knock on his office without even stepping foot in the corridor. So we began working with Whitehat, and it's been an exciting journey for us because of our commitment to compliance.
Because GDP was already coming and because we primarily work for charities and not-for-profits, who frankly had a kicking in the media over the last couple of years, which I think mostly wasn't deserved. I don't think they've done enough to defend themselves.
Still, you'd have heard of significant, high-profile cases like Olive Cook, the lady who was harassed to her death in Bristol, even though her family repeatedly said that there were many other issues and that that wasn't one of the main factors.
Anyway, a poor, vulnerable elderly woman and the Daily Mail had pretty much a hate campaign as far as I could see against the charity sector that's made the sector. Is anyone here from a charity or who works with charities well?
Now that you're living in challenging times, you're under much scrutiny, particularly with GDP coming in. I think everyone will come in May next year. There will be a few high-profile cases to add to the ones already backing up.
Hopefully, some of those high-profile cases will involve Coca-Cola or Facebook, other companies that ride roughshod over data; put a microphone in my hand, Clwyd, and what do you expect?
So we wanted to get the most out of Hubspot as an inbound marketing tool, cement our position as a leader in compliance, a safe pair of hands, and a secure outfit that understands the value of data.
We realized that all of the stuff we had over here regarding how we operate our platform and safeguard our client's data and their downstream customers was next door and useless when we started thinking about how we interact with people.
Over the last six months, we've been on a journey to determine where our data begins and ends and where our clients' data begins and ends. We've had to learn a lot about GDPR, which essentially replaces the old Data Protection Act that came in in 1998.
It's the first significant overhaul since that time. So it's far-reaching because it has to be because we work, communicate, and operate entirely differently.
We spoke with a barrister who's an expert on cyber law and has written a book that is so weighty that I could use it to prop open my office door. I have to own it and have struggled to read it, but he knows what he's talking about. One of the first things he said to me was that data is new oil.
It's being elevated. Your data is being elevated to the status of your home ownership, car ownership, or possession, and you will have the rights under GDP to ensure that that obligation is met by anyone you interact with or work with.
Now, when we started to look at how we use data and how we sell to clients, one of the first things we thought was, "Well, if we put it in a contract that we are the data processor and not the data controller, then we can bypass some of that nasty stuff."
It doesn't work like that. It's the proof is in the pudding. It's how you communicate with people, and you can have more than one function at the same time. You can have a contract to manage your client's data, and then the minute someone calls you up and changes something on your database or interacts with you or gives you something else you need to do, like change a record in the database.
They are the pieces of data that you must own and look after. Manage and control the record and respect of the information commissioner's office. To understand which organizations are in the room, who works for companies with fewer than twenty people? OK, good. Smattering, few of them. Fifty more than fifty. OK, more than a hundred?
More than 500? Anyone on the footsie 500. So there's a wide range of sizes here. I've found that when you get to over fifty to a hundred, the challenge is probably to go this way because there are many other things you have to deal with. You less, you become compartmentalized again.
You can be pretty silo-focused in how the organization thinks, and different departments can be left to their own devices to worry about navigating the GDP minefield. From where you're sitting. Are you primarily a marketer? Do you own the inbound marketing sort of stuff?
Are you the HubSpot primary user? Most of you feel that HubSpot is where you keep your data. Who uses HubSpot as a primary CRM? Who then has HubSpot working with another CRM platform?
Who here feels that they've got GDP nailed by May next year? If the ICA knocks on your door, you'll just be able to say, come in, look around, anyone feeling that confident. Who here feels it is not their department? I think it will become the whole of our department in a way.
So, I just wanted to talk about how we got to where we are. I'm not starting by saying where we are now, which is, to be frank, not as far along as I'd hoped. I'm, we constantly have to check back between different levels of compliance. An example of that is the Gambling Act.
So because we're licensed, the gambling act is our Bible. We had an inspection two weeks ago, and the head of lotteries and the head of compliance descended on our office. They have the power to do anything within the furtherance of the delivery of their inspection.
So obviously, we're all kind of a flutter in the office working out how to deal with this. You hear horror stories. One guy was the inspector who had just called the police inspection, and the guy was just unceremoniously arrested and taken off. He wasn't exactly in our sector. I think he owned a casino, and they found a machete and gaffer taped to the underside of his desk.
So that's a man who has more enemies than I do, that's for sure. But we sailed through that, and then we realised that there's a lot that they, you think if you nail one extensive set of compliance, it might be specific to your industry, then all the other stuff will fall into place. And the more we look at GDP, the more we realise that that's not the case.
The more we realize that you must make some compromises and sacrifices to work between the different verticals of the other legislation you operate in.
So, an example of that for us is that with gambling, we can't sell a lottery ticket to anyone under the age of sixteen, and we have to age-verify and check people before they make that transaction.
The best practice in the charity sector is that we can't sell a donation or the option to donate to a charity to anyone under 18. I think that one's best practice, on the other hand, is primary legislation. So, I won't tell my clients they can sell to people the Gambling Act says they can sell to.
Similarly, we've had to learn much about managing and holding the data.
It made us go back over how we use Hubspot extremely quickly to determine how we're holding data, how it's being passed around, and how it's being retained.
At the end of every day, you can now go to the place where you used to be able to go to the people who deal with queries from our customers.
So, we build and maintain our reputation by ensuring that when someone signs up to use our software, their customers are treated securely. We handle all the payment queries and provide customer support for their downstream customers.
Then we did a bit of an audit and realized that there were pads on which you could see someone had called and had not updated their bank details or something. The person scribbled that down and then amended it on the database to secure it. However, it's still sitting on a pad.
So, I am just locking down that kind of stuff. And if you're managing Hubspot or people who interact with you via Hubspot on the CRM, there will be times when some of that data is probably written down on a pad or, you know, these are the things you need to worry about. We're also working with Whitehat to understand how some of our concerns around the GDPR post-march will be dealt with within HubSpot.
We've recently decided to outsource. However, we're only 11 or 12 people. We were not required to have a data protection officer, but we're going to get one, and we're doing that by having a service that we get several days a month. They will be registered with our company, they will do an audit, and they will be responsible for making sure that our processes are compliant.
That's been vital for us because most of our content in HubSpot is about how awesome we are looking at the data and how great we are keeping card details secure. We adhere to every letter of the Gambling Act, et Cetera, et Cetera, et cetera. So, to maintain that wealth of knowledge, it speaks to Clwyd's point about how we as a small business have begun to disrupt the sector that we're in, most of whom have print management firms, most of whom don't have software.
We've done it by being relatively niche in how we create the Hubspot content, and it's all around the fact that we're a trusted pair of hands. We understand the technology; we know security. The next six months will be instrumental in working out whether we do. Now, regarding where you're sitting with GDP, my first advice would be to do something, do something, and do it quickly.
Get policies in place. Like all laws, they don't give you the answers. They give you a set of grey parameters in which to operate. For example, the right to be forgotten is a big central plank of GDP. No one knows precisely what that means or exactly how long they're thinking because there's nothing put down.
It's about what you can justify. And as this barrister said to us, if in May next year, the ICO knock on your door and say, right, where's your policies? If someone hasn't interacted with you, what do you do with them? And if you said, well, we go back to them x number of times.
After three years, we delete that record from our databases. They might say, "Actually, we were, you know, we think maybe that's a little bit long, but seeing as you have a policy, and seeing as it's all laid out, they're just going to say thanks very much." And they'll knock on the door, the person who isn't expecting them and doesn't have a ring binder with all their policies laid out.
So do something and make it look justifiable—not make it look justifiable, justify it, and think through it. Hopefully, the ICO won't come knocking with any questions; you always have a question; you are like Colombo.
It's my job. The way I look at GDPR is a bit like the hard Brexit thing, right? So you've got a date.
Everybody's working towards that date, and pretty much everybody I've spoken to has the impression that nobody will be ready, or at least vast swathes of all different industries will not be prepared.
What are the consequences of failure regarding fines and impact on our business? I don't think everybody has picked up on the scale of some of this.
The best comparison is if you look at TalkTalk, which was fined not long ago for a significant data breach. It was a few hundred grand. It's been worked out, and there's no way of knowing this until the ICU where to apply the new legislation. But they're fine if they committed the same infractions on the GDP. It would likely be around thirty to forty million.
So that is a scary factor higher. It's also potentially open, and the fines are just a percentage of worldwide turnover, so it's not profitable. Again, as Dean Armstrong QC said, these used to be mistakes that might cost an IT director or a CTO their job, but now they have become issues that could cost a CEO their job or just kill the company and the business. Imprisonment?
Yeah, directors are another thing: all those annoying phone calls from people you don't know how they got your number in the first place. They're probably just putting it through a dialer until it spits out a number.
It used to be the case that they could shut down the company, set up a new one from within the same building and carry on. They're now going to be able to go up and get the directors with fines to the directors and potentially imprisonment as well. So, if you're dealing with data, especially if you're a director of your company, you need to get your head around this.
Frequently Asked Questions About GDPR Compliance
Since the implementation of GDPR, many businesses have had questions about its impact and how to ensure compliance. Here are some of the most frequently asked questions to help you navigate the complexities of GDPR:
Q1: What is GDPR, and why is it essential for businesses?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the EU on May 25, 2018 and continues to apply in the UK post-Brexit. It's crucial for businesses because it strengthens individuals' rights over their data and imposes strict requirements on how organizations collect, process, and store this data. Compliance is essential to avoid severe penalties and maintain trust with customers and stakeholders.
Q2: Does GDPR apply to small businesses?
Yes, GDPR applies to businesses of all sizes that process the personal data of EU residents, regardless of where the company is located. While some exemptions exist for organizations with fewer than 250 employees, such as reduced record-keeping requirements, the core principles of GDPR still apply. Small businesses should focus on understanding their personal data, why they hold it, and ensuring they have a lawful basis for processing it.
Q3: How does GDPR affect inbound marketing strategies?
GDPR has significantly impacted inbound marketing by requiring explicit data collection and use consent. Key changes include:
- Opt-in only: Pre-ticked boxes are no longer allowed for obtaining consent
- Clear communication: Privacy policies must be transparent and easily understandable
- Right to be forgotten: Customers can request deletion of their data
- Data portability: Users can request their data in a portable format
Marketers must ensure their practices, including email marketing and lead generation, comply with these requirements.
Q4: What are the potential consequences of non-compliance with GDPR?
Non-compliance can result in severe penalties, including:
- Fines of up to €20 million or 4% of global annual turnover, whichever is higher
- Reputational damage and loss of customer trust
- Potential legal action from individuals whose rights have been violated
- For company directors, personal liability and potential imprisonment in severe cases
Businesses must take GDPR compliance seriously to avoid these consequences.
Q5: How does GDPR interact with other industry-specific regulations?
GDPR often overlaps with other regulations, and businesses must navigate these intersections carefully. For example, in the gambling industry, GDPR's age verification requirements may need to be reconciled with specific gambling legislation. Similarly, financial services or healthcare providers may need to balance GDPR requirements with industry-specific data protection rules. It's advisable to consult with legal experts to ensure compliance with all applicable regulations.
Q6: What practical steps can businesses take to ensure GDPR compliance?
Critical steps for GDPR compliance include:
- Conduct a data audit to understand what personal data you hold and process
- Update privacy policies and consent mechanisms
- Implement data protection by design and default in your processes
- Train staff on GDPR requirements and data handling procedures
- Appoint a Data Protection Officer (DPO) if required, or consider outsourcing this role
- Establish procedures for handling data subject requests (e.g., fitting to access, right to be forgotten)
- Regularly review and update your data protection measures
Q7: How has GDPR enforcement evolved since its implementation?
Since its implementation, GDPR enforcement has become more stringent. Notable trends include:
- Increased fines for non-compliance, with some high-profile cases involving major tech companies
- Greater scrutiny of data processing activities, particularly in digital marketing and ad tech
- Focus on transparency and the validity of consent mechanisms
- Emphasis on data minimization and purpose limitation principles
Businesses should stay informed about enforcement trends and adjust their practices accordingly.
Remember, while this FAQ provides general guidance, GDPR compliance can be complex. It's always recommended to seek professional legal advice for your specific situation.
