Here’s the problem.
You’re a pub chain, with almost 1000 outlets up and down the UK and Ireland. Over the years you’ve collected masses of data about your curry-loving clientele, or at least those who have bought purchases online, connected to your Wi-Fi, or signed-up for your newsletter.
Why’s that a problem?
Well, that data is toxic if you can’t be confident you’re protecting it properly to keep it out of the hands of hackers.
JD Wetherspoon, better known as “Wetherspoons” to its regulars, seems to be taking matters into its own hands.
The company, which is presumably still nursing something of a hangover after discovering in late 2015 that it had suffered a data breach involving the personal details of some 656,723 customers, has decided to delete its email database.
As Wired reports, JD Wetherspoon sent an email last week to members of its customer database saying that it would no longer be sending out newsletters, and would be permanently deleting their records:
I’m writing to inform you that we will no longer be sending our monthly customer newsletters by e-mail.
Many companies use e-mail to promote themselves, but we don’t want to take this approach – which many consider intrusive.
Our database of customers’ e-mail addresses, including yours, will be securely deleted.
In future, rather than e-mailing our newsletters, we will continue to release news stories on our website: jdwetherspoon.com
You can also keep up to date by following our Facebook and Twitter pages, using the links below.
Thank you for your custom – and we hope to see you soon in a Wetherspoon pub.
Why doesn’t JD Wetherspoon want to email you anymore?
But sending email is really cheap, so I find it hard to believe that it would be prepared to switch off the taps like that for those reasons alone.
No, I suspect JD Wetherspoon might have other concerns.
Such as the fines that the Information Commissioner’s Office (ICO) has recently imposed on the likes of Honda and Flybe, after determining that those firms had not properly received users’ consent to be sent marketing emails.
Honda, for instance, was unable to cough up any evidence that its customers had ever given consent to receive emails. Ironically, the car firm was caught out after sending 289,790 emails which attempted to clarify whether customers wanted to receive marketing emails or not.
In the ICO’s view, the firms should already know (and be respecting) that all of the recipients in its email list had knowingly consented to receive emails from them.
So, maybe JD Wetherspoon is worried that it has a huge number of email addresses – which it sends newsletters to on a monthly basis – but has never asked (or simply lost) explicit permission.
In such a scenario, maybe it makes sense to wipe the email database.
And with much tougher data protection regulations coming into force in May 2018 in the form of GDPR, it may be a canny move to securely wipe such information sooner rather than later.
You can hear us discuss more about GDPR, and its impact on businesses around the world, in this recent “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.