JD Wetherspoon deletes database
The news that JD Wetherspoon has deleted their email database of 750,000+ names has received wide-spread coverage. The multi-million pound pub chain stated “we won’t be emailing you anymore and we have deleted your details” and “from now on you can contact us and find out about events and news here,” pointing to their Facebook page and Twitter profile… a bold move from this major brand. But why would they make such a move?
Businesses are taking the GDPR, which comes into force next May, very seriously. It’s understandable when fines for non-compliance can be the higher of 4% of worldwide gross turnover or €20m – and clearly Whetherspoons believes that deleting their database will make sure they stick to the GDPR.
But Whetherspoons’ marketing database comprises only a small aspect of their marketing and data processing activities, under the GDPR. Social media is included and that means that they may need to put in place detailed agreements, with social media providers, regarding their processing of personal data on social media and other platforms, too. And it doesn’t stop there…
Wetherspoons will need to be GDPR compliant in all of the data-processing activities they undertake – including payroll bureau services, human resources, web-hosting, cloud providers, communications with their other offices and the ways in which they might need to share this information with other ‘partners’.
They might well have decided that outsourcing their data processing is the answer to GDPR compliance, but the agreements they have with third party processors will need to be very carefully negotiated and drafted. However hard they might be trying to ‘dodge the bullet’ of risk, any breaches of the GDPR will remain the sole responsibility of the business controlling the data… and that means Weatherspoons.