Peter Hayes, Author at Quadrant Consultants

Peter Hayes September 2, 2019

How GDPR became GooD PRactice

Peter Hayes

In the middle of the three Brexit years, 2016 to 2019, came ‘the year of GDPR’. How did organisations cope? Has GDPR shown us what good practice is? We think so.

How does this much-anticipated year now look, with the benefit of hindsight? Writing as both a business operator, and as business advisors, it looks like an unusually fast transition to ‘business as usual’. As so many critical infrastructure transformations end in delay, cost and upheaval, how did GDPR become routine?

The answer to that is partly in the appeal of facts, in an uncertain world, and in a respect for experts, in an era when we were supposed to no longer have time for them. GDPR highlighted the unavoidable accountability for fact-driven consents, and it heralded a legion of officers, Data Protection Officers, as expert guardians of truth. “Are we good to mail both customer sets?” “Are consents up to date”? Ask the DPO.

How GDPR rebuilt our faith in facts

We noticed in the build up to May 2018 a concerted effort to tackle an escalating risk faced by most public facing and serving organisations – that of facts, and trust.

How GDPR was interpreted and introduced for the UK was largely down to the Information Commissioner’s Office (ICO) and they saw it as a way to get on the front foot, for upholding information rights. ICO had only recently gained a new Commissioner, Elizabeth Denham, who spotted the seven principles, like seven samurai that could be mobilised to show ‘what good business looks like’.

The Seven Principles of GDPR

Lawfulness, fairness and transparency

Accuracy

Purpose limitation

Storage limitation

Data minimisation

Integrity and confidentiality

and, underpinning all of these, Accountability

The prevailing Data Protection Act (the 1998 Act) had not been remiss. It just lacked the turbo charge of accountability which to us is the linchpin of the above principles.

Are we all feeling more accountable?

Accountability requires us to take responsibility for meeting all of the principles, and we have to show we have the appropriate processes and records in place to comply.

#FACT – ‘A Boom in Data Breach Reporting’. Reports about personal data breaches increased fourfold in one full year of GDPR working. The ICO declares it received around 14,000 Personal Data Breach (PDB) reports from 25 May 2018 to 1 May 2019 up from around 3,300 in the year from 1 April 2017. Are there more data breaches? Maybe. Are more companies accountable for reporting them? Definitely.

GDPR, with embedded accountability, became more than a behavioural nudge to corporate behaviour. To us, accountability became the vital baton in a relay race. Europe, then the ICO, started the lap. Organisations took on the baton. Adjusting to a GDPR way of working brought the opportunity to build trust from customers. Not living and working by GDPR now risked a crippling fine. We like to think the benefits outweighed the potential costs, for the vast majority of well-intended enterprises.

How did this change customer handling organisations? It seems, a lot. Accountability encouraged to appreciate information rights, evidenced by a demand for help.

#FACT-‘More organisations want to know more about information rights’. The volume of enquiries received at the ICO from businesses, organisations and individuals has reached new levels. The service received over 470,000 contacts in the first full year of GDPR, a 66% increase from 2017/18.

Who are you going to call?

Well, before GDPR and the ICO brought clarity of accountability to information rights uncertainties, we might have called the Head of IT, the Company Secretary or maybe the Marketing Chief. We’re not sure who they in turn would have called. Now, it could not be clearer. The Data Protection Officer has stepped up, and will be with us as a lasting EU legacy.

#FACT-‘At the last count, there were over 35,000 active DPOs listed on the ICO’s data protection public register. For customers (‘subjects’) that means an easily reached first level of enquiry, and for organisations, it means a trusted expert.

Where next with GDPR?

Well, in one way, there should not be ‘the year of GDPR’ as it is not an event. It is a profound reorientation of information rights towards the subjects, our customers, and ourselves.

It is also not a role for one person, a DPO, any more than quality was purely the responsibility of a Quality Manager. If organisations take on the realisation that a GDPR way of working is no more or less than any good organisation should do, and that it can even provide a competitive advantage, things can only get better.

If more subjects (‘us’) value our information rights, in how and where we make transactions, or share personal data, we will get a good equilibrium with service providers, and get the overall and overdue good practice in all things personal data.

Peter Hayes August 22, 2019

Private Schools – an uncertain future?

Mike Berger-North

Whatever one’s political stance and educational preferences, private schools are a topic of much debate and strong views.

At the recent 2019 Labour Party conference, delegates adopted a motion committing the party to making all fee-paying schools public, with the probability of including it in their election manifesto. On the surface, a significant potential issue for private schools but this prospect has hung over the sector for many years.

In addition to the continuing political shadow on the horizon, the private school sector is facing many immediate challenges to its appeal and sustainability.

Top of the list is the government requirement for universities to widen their access and demonstrate that they are committed to admitting a higher proportion of state school pupils. There is a particular emphasis here on Oxbridge and the other, perceived as elite, Russell Group universities. This autumn, more than 68% of students at Cambridge are from the state sector, up from 65% last year. Historically, a major appeal of private schools has been their well-publicised success in their pupils gaining access to Russell Group universities.

For private school governors, currently top of the in-box is the issue of teachers’ pensions. Employer contributions are due to increase from 23.6 per cent, up from 16.48 per cent now. The Chief Executive of the Independent Association of Prep Schools has written to the Treasury warning that more than 100 preparatory schools could shut down because of the increase. And with schools deciding to leave the Teachers’ Pension Scheme, it will make it much harder to attract new staff alongside an expected exodus of current staff to the state sector.

Additionally, governing bodies wrestling with the teachers’ pension requirements have recently been hit, with the Department of Education announcing that salaries for new teachers are set to rise to £30,000 by 2022-23. Many good teachers from the private sector will find the state school remuneration package more financially attractive and secure in the future.

But if the teaching staff are the most valuable asset in schools, within the private sector physical assets and the approach to an all-encompassing curriculum and child focussed development have always been important. Even here many new academies and free schools have been playing catch up and copying the approach of the private sector – sports facilities, out of hours activities, individual child centred support etc. In many cases, the local new state school now boasts far more appealing facilities than neighbouring private schools, providing a compelling child centred offer in comparison.

In addition to the school centred challenges, the uncertain outcome of Brexit could produce many unintended consequences, not least a downturn in admissions from overseas students and an exodus of current students due to financial pressures.

Despite the uncertain political ramifications for the sustainability and future of private schools, the current economic and market challenges will be well known to governors and school leaders. It is prudent therefore for governors and school leaders to satisfy themselves that their school and community are robust in the following areas:

Brand strength – not just the logo, website or brochure. An understanding of the distinctiveness of the school, its history and heritage, and a complete integration of the values and culture embodied in the DNA of the school and understood by all partners – students, staff, parents, governors, ex-students and staff, and the local/regional/national community.

Staff development – ensure all staff are collaborated with as partners in the development of the school, its brand and ethos and have full personal development plans in place – coaching, mentoring, training, career development

Local community – make sure the school is a part of the community not apart from the community. Let the local community into school and share in its development, and, embrace and support their local issues, concerns and initiatives.

State school partnership – support and share with your local state schools, initiatives, activities and resources – physical and personal.

Benefits not features – understand the real benefits you provide for your students and staff, rather than just focus on the features of the school and its environment.

Recruitment and admissions – make certain there is a fully integrated approach to this critical area where everyone understands and plays their part – students, staff, parents.

Maximise assets – ensure your physical assets are generating returns for as much of the year as possible. Agree with your staff how their expertise can be used in the most effective way, for themselves and for the school.

Advocacy – engage with all your potential partners, supporters and advocates to maximise the reputation of the school and its values and enhance its profile locally, regionally and in some cases nationally.

A future Government and/or Brexit may produce some unforeseen or unpalatable outcomes but the challenges detailed above are real and now. Schools that can see these challenges as opportunities and react to the current and anticipate potential future circumstances will thrive, those that accept the status quo may find it difficult to survive.

Peter Hayes February 1, 2017

About Marketing and customer privacy and consent with GDPR

We get to work on the marketing side of management consultancy, more than any other aspect. About growth, and change for a better customer offering and experience. Our team is made up of classically trained marketers. We bring a healthy respect for the 1998 Data Protection Act, which was a catch up on the EU Data Protection Directive of a few years earlier. You know where this is heading. Europe and the General Data Protection Regulation.

What has the EU’s GDPR got to do with you? Well, a lot, if you maintain and process records of personal and customer data.

GDPR is a big change for marketers, and our work over several years with the Information Commissioner’s Office (ICO) gives Quadrant a heads up on what it means for marketers. Big data now coincides with big accountability, meaning there are big risks. Let us share a heads up with our readers, many of whom are waking up this New Year to GDPR.

GDPR actually is a Game Changer

Let’s put the risk in scale; likelihood = low for GDPR minded folk, liability = extreme, if not.
For example, TalkTalk had a sizeable £400,000 ICO fine around insufficient protection of customer data, in October 2016, since fixed. Any organisation in serious breach of GDPR after 2018 faces a fine of ‘4% of global turnover’. For the most serious violations of the law, the ICO will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year. (source: ICO – Will GDPR Change the World? 25 May 2017)

The Information Commissioner, Elizabeth Denham, delivered a speech recently on GDPR and accountability. It included plenty of good tips and a few ‘critical friend’ observations too;

“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.”

Consenting Adults

There are already a huge number of articles and guidances on GDPR. On that, our advice would be to stick close to, and engage with, the ICO and their free half day briefing events.

Let’s just focus on one aspect here, with thanks to the ICO for their plain speaking notes.

The GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not yet clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. We’d say ‘assume explicit’, in your own planning, until the tiers become better defined.

For marketers, consent under GDPR requires some form of clear affirmative action. Silence, and the fall back of pre-ticked boxes or inactivity does not constitute consent. You have to be able to verify it, and this means that some form of record must be kept of how and when consent was given. Many CRM systems will need an overhaul, and probably a data refresh. Also, individuals have a right to withdraw their consent at any time, and they will.

Where you already rely on consent that was sought under the DPA or the EC Data Protection Directive (95/46/EC), you are not required to obtain fresh consent from individuals if the standard of consent meets the new requirements under the GDPR. And here is our second top tip – appoint your Data Protection Officer (DPO), as a focus on risk. That in itself does not relieve the organisation wide responsibility, but an in-house responsible person helps.

Reasons to appoint your DPO?

Your data processing operations require regular and systematic monitoring of data subjects (personal information) on a large scale, or
You conduct or instruct processing of a large bulk of special categories of data (i.e. health, religion, race, sexual orientation etc.) and personal data relating to criminal convictions and offences.

The recruitment fees for DPO’s with sector sensitivity will jump, so be prepared.

Leaving Europe but not leaving GDPR

Just as our own Data Protection Act followed the earlier EU Directive, so will our organisations that come under GDPR become enforced by those provisions. Large and international brands already attract and process customer information across EU borders. The GDPR applies across the UK from 25th May next year, 2018. The government has confirmed that the UK’s decision to leave the EU does not affect the impact of the GDPR.

Marketers planning for Brexit have now just gained a New Year’s resolution for 2017. Get well ahead of GDPR, get in touch with your customers if you need to be assured of adequate consent, and appoint your Data Protection Officer.

Incoming – Consent Mailings by the Dozen

A final tip is put yourself in the place of your own customer. Our prediction is that most will be mailed with a direct marketing designed sequence of engagement and enrolment into explicit consent. From polite early permission seeking, to more pointed mailings, or incentives. Once the early consenters are gathered, new forms of motivation will be needed for organisations to be sure their databases are compliant, or limit their use, or risk that fine.

Many of us have four or five dozen organisations that process our data, currently DPA compliant. Think of that. ‘Incoming’ from 50 odd mailers over the coming year, multiplied by the number of times each may need to contact us? Several hundred individual interactions with any one customer, and any one might generate consent, or alienate and lose one.

Our last advice – do it well, and do it early. Quadrant is already getting ahead with our clients, on what to say or mail and when. Do get in touch if you want help.

Maybe we leave the last words to the Information Commissioner, Elizabeth Denham, who put customer trust into perspective, about how to avoid the wrong sort of surprises.

“Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?”

Quadrant neither condones nor encourages the placement of padlocks on public bridges