Anthea Stratigos – July 5, 2016
It’s getting harder and harder to run a small business. Regulations, often developed as a result of big-company misbehavior, wreak havoc on small companies who do their best to be good citizens. Just recently we published an Insight to clients entitled: Safe Harbour Replacement Rejected as Countdown to GDPR Begins by Hugh Logue our analyst who focused on the legal information solutions space, the legal market as well as legal issues that affect our industry. Knowing we are ‘of the industry serve’ and in congruity with what we advise is crucial, I sent a note.
The dialog went something like this:
Pushed email from the CEO: “Hey team, wanting to make sure we’re in compliance and you have a plan for this.”
Ensuing email thread below, upon which said CEO rolled eyeballs and said to herself ‘you’ve got to be kidding.’
“……We’re a small company so I think we can easily comply with the GDPR before May 2018, if not a lot sooner.
- We don’t sell to children, which is causing one of the biggest headaches.
- We don’t employ more than 250 employees so we don’t need to nominate a dedicated Data Protection Officer.
- We only have one or two (Salesforce and Marketo) databases that contain personal data, and I expect their security is of the highest standard.
I think you are right about clients and newsletter subscribers, we have their consent and their data is stored securely. However we might need to:
- Check where the data of EU residents is stored and the processes that our suppliers use to transfer data between EU-US.
- Check what our suppliers’ security breach plan is. We will have an obligation to report the security breach to the Supervisory Authority within 72 hours.
- Provide more prominent, clear and concise privacy notices
- Provide a form on our website to facilitate a data subject’s “right to erase” all records of that person – so this might include previous email correspondence we store in CRM for example.
I think the bigger issue is our sales prospects, i.e. people that are not clients and do not subscribe to our newsletters. The definition of personal data in the EU is broad, and really just means data that can identify a person regardless of whether it is personal or work contact details. Collecting the contact details of anyone that has not provided consent is in potential breach of current and forthcoming privacy regulations. This would include:
- Copying the contact details of a person from a company website into CRM;
- Copying the contact details of a person from LinkedIn, Facebook etc. into CRM;
- Guessing the email address of a person (e.g. Name@Company.com) and saving it in CRM.
I am sure they are already aware, but we will need to confirm that staff know they cannot do this type of personal data collection. Perhaps we could modify how new contact information is entered into Salesforce with a question on whether express consent was obtained? If express consent is not obtained then the data is not stored. We could also include a section on data privacy in the Grail and ensure a question is included in the Grail test for new recruits.
The GDPR will also overall make people more aware of their privacy rights and the official complaints procedure. The Supervisory Authority will investigate any complaints and will expect to see a company’s data privacy records, plans, and assessments. We will need to work with our external suppliers to ensure we have these records.
But overall, I agree that there’s not much of an issue for Outsell, and certainly nothing that can’t be quickly fixed.”
Suddenly, the overhead to manage this is skyrocketing. And we’ve always been good citizens and most companies in our industry of a similar size are too. We don’t license names, of clients or otherwise. We honor opt outs and treat them judiciously. We do our best to market value and deliver content in what we do and not spam people. Granted, spam is in the eye of the beholder. It is becoming nearly impossible to manage these regulations in the EU, then deal with Canada’s new laws, and then manage our day to day in and from the U.S.
Between mandatory pensions, year-long parental leaves, and new rules that arrive daily at a state, federal and country level, it’s crazy for a small company to follow regulatory requirements of multiple regions especially when there is no unity in the approach. We try to keep as much of our staff client facing and keep our back-office lean. But when a 40 person company needs to start thinking about this level of compliance it’s downright scary. Privacy is a nightmare especially in the consumer marketing realm. Data brokers are wreaking havoc and it’s been said that with five or six data sets a person can be known. Privacy schmiracy. But when small companies doing honest business get cause in the shrapnel of what these companies are doing, and regulators go after the bad guys, it often ends up sinking small boats.
Oh, where are the days of handshake agreements and simple ethics that are timeless. The golden rule is a pretty good one. Too bad all companies are getting painted with the same regulatory brush. My eyes are glazing over at our new to-do list. I’d rather have us spend our precious time serving clients.
What’s next for regulatory and privacy requirements? Contact us to get started with Outsell’s research and advisory.