Pub chain JD Wetherspoons has quite a fanbase in the UK, but the company has decided it’s safer to delete all its customer data than risk it being hacked.
Several high-profile hacks in recent months have brought to light the seriousness of data leaks resulting from databases being hacked. Beyond the disrepute which can have an impact on future custom, individuals and companies also have to face a potential fine resulting from increasingly strict data protection regulations.
Wetherspoons’ decision was announced on Friday June 23 in an email from chief executive John Hutson.
“Many companies use email to promote themselves, but we don't want to take this approach – which many consider intrusive,” Hutson wrote to subscribers. “Our database of customers’ email addresses, including yours, will be deleted.”
Rather than newsletters, the company will now use its website and social media accounts on Twitter and Facebook to promote deals and other relevant information.
Wetherspoons itself suffered a data breach in 2015 where the details of 656,723 customers were leaked. For most, this included the name of the customer, their date of birth, email address, and phone number. All details which can be used for phishing attacks. A small minority also had some credit/debit card information stolen, but only the last 4 digits of the cards were obtained since the remaining digits were fortunately not stored in the database.
The company has not disclosed the number of customers whose data will be deleted as part of their decision, but it’s likely to be quite a bit higher than the number of customers the company had in its database back in 2015.
"On a risk basis, it’s just not worth holding large amounts of customer data which is bringing insufficient value," says Jon Baines, chair of The National Association of Data Protection and Freedom of Information Officers. "This could be the case even where the organisation is clear on which customers have given consent to marketing and which haven’t."
The EU’s new General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and means companies can be fined up to 4 percent of their global turnover. A study by NCC Group found that fines from the ICO in 2016 would have gone from £880,500 to £69m if the GDPR had been in force.
Are you concerned about holding large amounts of customer data? Share your thoughts in the comments.