Is Wetherspoons setting the bar for GDPR?

Posted on 13 Jul 2017

The news barely made the headlines. Tim Martin, prominent Brexiteer and founder of Wetherspoons, the pub chain, is great at making the headlines when he wants to, but the news that Wetherspoons had deleted its entire customer database on purpose, was hardly picked up at all.

The database, of around 700,000 names and emails, could have been a significant marketing tool, used to highlight promotions and offers, creating greater customer loyalty and for research into customer trends. However, the database could also represent a significant business liability, and one that Wetherspoons management decided was too great to bare.

The General Data Protection Regulation (GDPR) comes into force in May 2018 and with it comes the possibility of major fines. GDPR brings in new obligations including data subject consent, data anonymisation, data breach and trans-border notifications. Whilst data protection rules already exists, the new regulation is going to make a significant difference to the potential fines that can be imposed. Under the new regulations, firms can be fined up to 4% of their global turnover. For perspective, a recent study by the Information Commissioners Office (ICO) concluded that the fines against British companies for breaching the Data Protection Act 1998 totalled £880,500 in 2016. Under the incoming GDPR, these same fines would have totalled £69m. Talk Talk’s 2016 fine of £400,000 alone would have ballooned to £59m.

"On a risk basis, it’s just not worth holding large amounts of customer data which is bringing insufficient value," says Jon Baines, chair of The National Association of Data Protection and Freedom of Information Officers.

In 2015 Wetherspoon suffered a breach of their customer database, when it was reported they had 656,723 names. When questioned about deleting its customer database, a Wetherspoon’s spokesperson said: “Following the data breach in December 2015 Wetherspoon has been reviewing all the data it holds and looking to minimise. We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”

Insurance firms, who typically hold large amounts of data and information about their customers, are on the whole aware of the effect the GDPR could have, and are slowly starting to make provisions for the security of their data. The greater liability for firms however could also prove a problem for insurers as the insureds potential losses under the new regulation greatly escalate.

For those thinking that Brexit will rid them of this troublesome EU regulation, think again. The new regulation comes into place before the official Brexit leaving date and the ICO has publicly stated that it will introduce something similar to GDPR post-Brexit if necessary.

It looks like larger fines for data misuse are here to stay, and Wetherspoon might be getting in the first round of a new data trend.