GDPR Compliance – what’s going wrong?

Three years on from the biggest shake up to modern day data regulation, you would be forgiven for thinking businesses ‘get-it’ when it comes to GDPR. Unfortunately over 2020-2021 Google (twice…), Amazon, H&M, British Airways and Marriott among others, have all faced fines that add up to an eye-watering £100+ million.

Some of these fines come from data breaches and unsecure cyber security practices, while in the case of BBVA’s five million euro fine, it was due to a lack of clarity in their privacy policy, and their improper use of customer data preferences.

Three years from the launch of GDPR, American Express (Amex) has been fined for spamming its customers with over 4 million emails by the UK data protection regulator, ICO.

Listen to customer preferences.

It seems that Amex forgot one of life’s basic principles – ‘there is more to listening than not talking’. They gave their customers an accessible preference sheet and allowed them to choose what communications they would receive. However, they decided to keep talking to their customers, sending over 4 million marketing emails to customers who had chosen not to receive marketing communications. Amex argued that these emails were about ‘servicing’ and were not marketing emails. The ICO disagreed after receiving complaints from numerous customers, and fined Amex £90,000.

While this is a contender for the most expensive email marketing campaign ever, it is also a perfect representation of why business-wide understanding of GDPR is so important to an organisation’s overarching operations and reputation.

GDPR lessons:

There are many lessons to be learnt from Amex’s mishandling of customer data. The first being that it is vital to allow your customers to manage their data preferences. It creates a positive experience for the customer and removes the human error factor in data preference handling.

Secondly, have strictly defined preference parameters for all communication. Amex had the foundations in place to have good data handling procedures. They had customer-led preference management, and well categorised preferences for all to understand in the business.

Thirdly, educate your workforce. Amex’s downfall sits somewhere in between their workforce not understanding the difference between servicing communications and marketing communications, and decisions being made to use personal data in a way that it wasn’t supposed to be.

Achieve GDPR best practice with our Online Data Protection Courses

The single best way to guard against breaches of data protection is to educate your workforce. If all employees understand the basics of GDPR, and how they can help their organisation stay compliant, the risk of fines by governing bodies and the subsequent reputational damage is minimised.

We provide expert GDPR e-learning courses to help businesses stay ahead of the GDPR curve. Click here to discover how we can help with your GDPR and other data protection needs.



Leave a Reply

Your email address will not be published. Required fields are marked *