Francesca Hawken
07 March 2018 00:00


GDPR…..four letters not to be ignored. From 25th May, GDPR will come into full force and at the NEC Group, it is at the forefront of our minds. The introduction of the General Data Protection Regulation (GDPR) will standardise the way businesses hold, use and share personal data with tough penalties for misusing customer data and a new requirement to report any breaches within 72 hours.

Below, Simon Wigley, Head of Business Intelligence and Analytics at NEC Group writes about his approach to GDPR:



"My personal stance on our imminent new data privacy laws is that I largely welcome them. Some brands like J D Wetherspoons have taken the dramatic step of deleting their entire mailing list -  stating they will stop sending newsletters by email and instead focus on their social media channels. NEC Group is not in a position to do this. Channels like emails remain important enablers for us to speak to our customers.

Instead of trying to fight or circumnavigate the new rules, our approach is to align with what the law is trying to achieve – we want to give people back control of their personal data. Our business is world-class live events. We have products and services that many people want to hear about - if they don’t, that’s fine too and we’d rather know and not bother them. From the outset, we have been focusing on how we can use this opportunity to make customer experience better while protecting the financial benefits of data.

At the NEC Group, we work to the following principles:


If we can’t easily explain to customers what we’re doing with their data, then we probably shouldn’t be doing it - We are challenging a lot of areas where we previously stored data. We are going through a process of asking ourselves if we really need that data: if we had to explain it to a customer would they be likely to agree? This has already resulted in us deleting parts of our database.


We probably will lose some records - But hopefully not too many and they are only likely to be cold prospects, not customers. The challenge is to minimise this and make sure we retain the most valuable ones going forwards. Spending more time working with this second group is a better investment.



Transparency means telling the customer what you’re going to do with their data and the benefits they get in return- Customers need to trust companies with their data. If we break that trust, aside from financial cost, both brand loyalty and reputation are at stake. An EY survey found 74 per cent of UK consumers would stop purchasing products from a brand whose actions they no longer trust and 73 per cent would think twice about using companies that failed to keep their data safe.


Privacy needs to be baked into decisions from the beginning - It can’t be retro-fitted at the end when it can often be too late to change things. Holding privacy impact assessments at the start of projects can be a great way forward. They ensure you think about the rights of customers and their data as well as your business objective and weigh up the pros and cons of both.


A data breach is far more likely to occur through an unengaged front-line employee than due to having the wrong policies - Out of all the steps to get ready for GDPR, making sure we take our people with us and we truly engage them tops our list of priorities.


We’ve changed our vocabulary - It sounds obvious but we’ve found talking about respect and privacy is easier for people to relate to than acronyms and legalese. We are also realistic about staggering the information – bite-sized drop-in sessions to test the security of your password with a free doughnut are proving popular.


Respect for data needs to be embedded at every level - We appointed a senior colleague as Data Protection Officer and set up a privacy board of key managers across the business. We also created an incident team to test out crisis simulations.


Customers must be able to see clear benefits from us collecting their data - This is where marketing can really play a role. We need to communicate in an appealing way to our customers what that is and why it is a benefit. We’ve been trialling different opt-in mechanisms and also various ways of wording statements and how we place them on a page, all of which make a huge difference to response rates. More brands are now using question marks and pop up boxes to explain complicated terms and why they need a piece of data. This format avoids cluttering the page with too much detail – while providing extra information if the customer wants it. 


There are big changes to accountability - You can’t rely on anyone else for your data being compliant anymore.


Penalties are serious money - Now this has been confirmed as up to £20m or four per cent of turnover, it has really focused everyone’s attention. Recently, several household name brands have fallen foul of existing legislation by contacting customers who have opted out of receiving marketing material about their data preferences. Their five-figure fines would stand to get substantially higher for a similar breach after 25 May. 


Having good processes in place on Day One is key – including evidence you have reviewed all areas of data privacy - The Information Commissioner’s Office (ICO) is likely to judge early offenders on their level of preparedness as much as the breach itself. They’ll be looking for documented data governance - records of clear, robust processes in place - including written policies, audit and reviews. The impact of GDPR is going to be biggest on companies that cannot demonstrate that they take data protection seriously at all stages of their business.


Brexit is unlikely to affect GDPR - There was a lot of discussion after the Brexit vote about whether GDPR would happen. We now know Brexit will not impact this law (or at least not in the short term) as it becomes enshrined as English law as part of the Data Protection Bill.


GDPR will drive up global standards of data privacy - After 25 May, your data record will be judged as only as good as the lowest common denominator of the records of your business partners. Any organisation wanting to do business with customers in the EU will need to reach GDPR standard. This can have interesting consequences. Although Facebook is an American-owned company, one fascinating effect of Germany’s new online hate speech law is that 1/6 of Facebook’s global moderation team now sit in Berlin and Essen. GDPR will also drive new behaviours from non-EU companies.


Consumers are likely to get more data-savvy - There has been much debate in legal circles over whether GDPR will raise potential for class action suits over data breaches. If customers can smell the money, they are likely to be more vigilant.  Added to this, governments are likely to invest in data security awareness campaigns around the launch of GDPR.


To conclude, the risk of human error will always be with us and especially given the highly-public and potentially eye-watering fines involved, there’s no time to be complacent. But once these rules bed in, I suspect the level of industry angst may reduce for those who have prepared sufficiently and in the long-run there is every chance the GDPR legislation will have a positive impact on businesses and the relationships they have with their customers."