You know the upcoming General Data Protection Regulation (GDPR) has moved from being the preserve of lawyers, marketeers and IT boffins to the mainstream when it gets a mention in the 8 o’clock headlines on Radio 4… closely followed by a feature about toe-sucking on the BBC’s Poldark!
The GDPR has been waiting in the wings for some time, but next year – on May 25th, 2018 to be precise – it officially comes into force, and it will alter the way all UK businesses handle personal data forever. No wonder it’s elbowing Poldark out of the way on primetime radio. For many operators, data protection can be a bit like health and safety – just one more job you’ve never really got enough time for. But with the GDPR introducing considerably heftier fines for data breaches – four per cent of your annual global turnover or a whopping €20 million, whichever is higher – it’s time to give it more attention than a niggling task at the bottom of your to-do list.
In today’s society, we hear a lot about the proliferation of data, how much more is collected now than ever before, allowing organisations to offer tailored, targeted and personalised products and services. Both in business and personally, we’re all ‘data subjects’ – increasingly reliant on our smartphones, computers, the internet and social media, all of which accumulate data at our every click and tap.
Our lives will be ever more determined by the data held about us. But that same data is more open to compromise than ever, which goes way beyond what the current data protection law (the Data Protection Act, which came to be in 1998) is designed for, or able to legislate against. The GDPR will bring data protection bang up to date by giving all EU citizens greater control of their personal data – how it’s collected, where it’s held, by whom and for how long. It will affect all leisure operators who hold personal data about customers, prospects and employees plus the government has confirmed it won’t be affected by the UK’s decision to leave the EU.
In the UK at present there’s no legal requirement to report data breaches – if your personal data is stolen or compromised, you may never even be aware of it. In the event of a breach under the GDPR, controllers must notify their appropriate supervisory authority – in the UK that’s the Information Commissioner’s Office (ICO) – “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If the breached data wasn’t encrypted, you’re also responsible for informing the data parties involved (your customers). So, no burying heads in the sand, pretending a slip hasn’t happened. From next May, if a personal data breach occurs, you’re compelled to ‘fess up.
What counts as ‘personal data’ is getting an upgrade. Online identifiers like IP addresses and cookies will now count. ‘Special category’, sensitive personal data such as information relating to someone’s political opinions, religious or philosophical beliefs will now also include genetic and biometric data. So, any data used to measure athletic performance or health now counts. Lastly, beware of any under 13’s and presume you have to class their data as more sensitive than an adult’s. If you’re signing up children, ensure you now get a parent’s signature, even if they’re a teen.
No more hiding consent for email marketing in T&Cs; going forwards it must be validly collected - it’s not enough to presume you have customers’ consent, and implied consent won’t work either. Consent tick boxes will need to be separate elements, with their own specific, time bound and age appropriate wording. You’ll also need to name third parties – just saying ‘selected third parties’ won’t be enough anymore plus make sure you give a clear option to withdraw consent and keep records that prove consent has been given.
Your customers can ask to be completely forgotten, and all their data to be removed from your records, so you’ll need to ensure your database allows this to happen swiftly and easily.
Perhaps Julie Andrews had a point when she sang about starting at the very beginning, because in this instance it is a very good place to start. “Begin by getting organised,” advises Joanne Barton, Product Design Leader and GDPR Lead at Gladstone. “Think about what data you have, why you have it, how you manage it, where it’s stored, who’s responsible for it and who has access, why you’re keeping it and for how long. If you really need it all, how long do you keep it? The days of just collecting data and keeping it forever are gone. All leisure operators will need positive policies about what they’re keeping and why. Map it all out so there’s no confusion. And look across all your systems – digital and manual, Gladstone and third party – they all count.”
The key, says Barton, is to design a security aware culture, so every staff member knows what journey data should take through your organisation. Manage your data in a structured way and protect anything you wouldn’t want to be disclosed. “The weakest point is often the human hand; you can enforce strict security protocols but if your staff aren’t aware of data protection requirements, there will be unknowing mistakes that cause a breach.”
Adopting strong passwords goes without saying and encryption of key data is recommended – it’s the best way to keep your customers’ data safe, especially for new ‘special category’ sensitive information like ethnicity, gender and health issues. If a breach does occur, but proper data encryption standards have been used, for the large part your data is useless to an attacker.
“Expect the best, but be prepared for the worst,” says Barton. “The average cost of a data breach is $3.4M. Make sure you plan and rehearse a contingency plan of what you’ll do and who’ll do it.”
Lastly think very carefully about what you keep. If a member leaves your centre, how long do you retain their details? And if you delete, purge or archive how is it handled? A cross customer who’s still being contacted again and again will be the first to report you to the ICO.
What about sleepers? Is it safe to let sleeping members’ lie? “In reality, you may not be able to carry on relying on them as a safe income stream,” says Barton. “If you’ve been efficient with consent upfront you may be ok, but it’s unwise to presume. The only way to ensure compliance is to re-establish contact and collect consent at the level you need.”
While software products alone can’t ensure your business is compliant, Gladstone has meticulously delved into the GDPR fine print and identified specific areas across both its platform and service offerings, that are being enhanced to more easily facilitate the customers obligation to meet the new requirements. It’s changing 80 per cent of products across all areas, and is using specialist lawyers and Data Privacy experts to review the changes so nothing’s been missed.
“The majority of our modules and products will need some changes to align with the GDPR legislation. We’re looking at access to systems, introducing secure passwords and https by default and adding another layer of encryption at key sensitive points,” says Joanne Barton, GDPR Project Owner at Gladstone. “We are building new versions of products according to the ‘Privacy by Design’ principle, enabling our customers to fulfil their duties in adhering to the GDPR. As our review progresses, we’ll advise the schedule for software updates; new versions of products will begin with Early Adopter versions from FY17-Q4 to FY18-Q2. All Gladstone customers will have the option to book an upgrade to GDPR-ready versions at General Release prior to the May timeframe”
It’s worth remembering that every system upgrade is only as good as the person using it. “Take secure passwords,” says Barton. “If a staff member accidentally allows someone to shoulder surf and write their secure password down on a Post It and then place it under the keyboard, there are obviously going to be problems! It’s about changing your culture, not just the software.”
“Using Gladstone products alone will not make you GDPR compliant,” says Barton. “It’s your business, as the primary data holder, that needs to be compliant. We can provide resources to help clean up databases but responsibility resides with you.”
If you’re reading this with a sinking heart, try thinking about it in a more customer-centric way. “Don’t forget, all the GDPR’s really about is personal privacy, equality and trust.
We all care about that and expect the businesses we give our details to will keep them safe,” says Barton. “Customers must feel they have control over data you hold. Get this right and they’ll know you respect them.
Think of the new rules as a way to help you manage data more effectively, both internally and externally. Build privacy into your organisational culture, rather than seeing it as your enemy. Ultimately, customers who feel they can trust you with their data will know you respect them and be more loyal.”
Don’t think GDPR’s not for me!
It impacts everyone and it’s all our responsibilities.
In summary remember:-
If you are starting from the beginning you can watch a 30 minute GDPR overview for Operators.
During 2018, Gladstone has worked to ensure that its products are GDPR-ready. This work is now completed and the latest releases of our product portfolio will facilitate our customers' GDPR compliance. To be clear, updating to these latest versions doesn't make our customers compliant with GDPR, but they will help the operators by providing functionality that will assist them in achieving compliance.
For example, we have redesigned the contact preferences section of Gladstone360 so that our customers' clients are required to give their permission for each communication option. This means that permission to email the customer for marketing purposes will have been given explicitly and not assumed because they failed to ask not to be contacted in that way.
Because GDPR compliance is a legal requirement in the UK, all Gladstone software versions now include this feature. In order to avoid infringing GDPR requirements, we would recommend that all customers who have not already updated to the latest versions should do so during the remaining months of 2018 or soon after. Of course, we will continue to support customers who have not yet updated to the latest GDPR-ready versions of software, but please note that any subsequent patches or bug fixes that are required will only be applied to these latest versions of our products. There will be no further feature enhancements for earlier versions prior to the GDPR releases.
Due to the inter-relation of dependencies between the platform modules, pre-GDPR versions cannot be implemented in a mixed environment with the latest GDPR versions. Customer should also be aware that Contact Manager is now end-of-life. This product will not work with GDPR versions, we recommend customers review the new Prospects module.
To get current, the challenge for many customers will be the cost and resourcing of services associated with upgrading multiple and individual on-premise versions . Our recommendation in these circumstances is to look to switching to a hosted solution.
Both Gladstone360 and Plus2 (and GladstoneOne) are available as a hosted solution. The hosted platform delivers major benefits for operators around reducing IT overheads and significantly lowering the cost of Professional Service time, as customers will never need to pay for an upgrade again. There is no charge for Professional Services for the software operators already own. The hosted implementation is on a dedicated, fully resilient, hardware and hosted in a UK datacentre. Operators can be assured that their data and services are in a safe pair of hands with RackSpace, Gladstone's hosted platform provider. Choosing to move to a full deployment of GDPR ready products will be most cost effective when implemented as a hosted solution to future proof their Leisure Management System (LMS).
Gladstone has prepared a range of online CBT training. This page is password protected, please contact your Gladstone Account Manager for access.
As well as taking advantage of the software upgrade opportunities, Gladstone has put together a series of GDPR Data Services (optional), which will become available to you once you have upgraded to GDPR-ready versions of your current software. Each service is designed to make it as easy as possible for you to ensure your business is GDPR ready.
The costs for each service range from £150, with discounts available when purchasing in bulk. The menu isn’t exhaustive and if there are any other data services you would like to discuss with us then we will be happy to work through the viability of them with you and provide a personalised quote.* All product modifications will be made to the general release version of the software only. Customers on legacy versions should start planning upgrades in conjunction with your Gladstone Account Manager and Project Managers. Please note that some very old legacy versions may require an interim upgrade - for compatibility to upgrade to the latest GDPR ready versions when they are released.
Gladstone has partnered with ClearComm, part of Kingston Smith & Partners - one of the top 20 accountancy and audit firms in the UK, specialising in Data Protection Solutions. Our partnership with ClearComm and their expertise around data, audit and process management provides operators with piece of mind that they can become fully GDPR compliant.
You don't need to be a Gladstone customer to take advantages of the ClearComm services offering - its available to everyone.