If you collect personal data from your customers, then you should be aware of data protection issues, particularly your requirements under the Data Protection Act 1998.
The Act outlines eight basic Data Protection Principles. These are that personal data must be:
- processed fairly and lawfully;
- obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- not kept longer than necessary;
- processed in accordance with the rights of data subjects under the Act;
- secure - appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
While the rules and regulations under the Data Protection Act (DPA) can appear daunting, the main principles are relatively straightforward. Phil Jones, assistant commissioner at the Information Commissioner’s Office (ICO), explains: “Essentially, any organisation that processes and stores personal information must comply with the eight principles of ‘good information handling’.”
The Main Principles
These eight principles relate to ensuring personal data is processed honestly and safely and that it is current and correct. “By following the simple principles of the DPA, organisations can ensure they retain the confidence and trust of their customers,” Jones explains. They can also make sure they stay on the right side of the law.
Mike Bradford, director of regulatory and consumer affairs at Experian, agrees: “The use of data is all about common sense and optimising relationships with customers. The DPA gives marketers a sensible framework for marketing responsibly.” He believes that many organisations start the marketing process by looking at how they should tackle the DPA, when in fact they should start the other way round.
“Marketers should look at their customer base and determine how they can make the most of it. They should then think about how they can do this without breaching the DPA to build long, profitable relationships.”
Organisations that act responsibly and are clear and transparent about what they are doing with their customer’s data will ultimately extract the most benefit from it.
But for many organisations the intricacies of the Act do cause confusion. Nigel Magson, chairman of Tangible Data, points out: “Even experienced data marketers and lawyers are struggling to get clarification on certain circumstances.” Magson advises marketers to ensure they’re familiar with the latest legislation, regulations and codes of practice and, he says, “if you are in any doubt at all, seek professional advice”.
The most important element of data storage is security. It is imperative that customer data does not fall into the wrong hands that sensitive, personal information is not comprised. Once that happens, it can be nigh on impossible for any brand to regain its customers’ trust and rebuild its relationship with them.
“You need to control secure access, especially if multiple parties are going to be using the data,” explains Magson. “Encrypted technology is now prolific, with security passwords for data access and varying levels of functionality. This allows different people to have differing access levels depending on what they need to do with the data.”
Access to data should not be given to just anyone within an organisation and should only be granted to individuals who need access in order to perform their job. Michael Brown, group security manager at Callcredit Information Group explains: “Databases must be protected by both physical and logical security, and access should be restricted to those with legitimate need. In addition, access and usage should be monitored, and people with legitimate access should be trained and supported in using the data appropriately.”
Bradford believes there should also be an audit trail, so that if any data is compromised it can be traced both internally and externally. While there is some disagreement about how sensitive different elements of data are – and therefore what level of protection they require – Bradford advises that all data should be treated sensitively, because even name and address data could be powerful in the wrong hands.
And don’t forget to ditch data you no longer need. James Castro-Edwards, a solicitor for Speechly Bircham LLP, notes that because the DPA stipulates that data should not be stored for longer than is necessary, it is important to “operate an effective data retention policy and delete data after a certain period.” The timescale for this will depend on the nature of the data that has been collected and its use.
Keeping Data Fresh
Under the DPA, organisations must “ensure systems are in place to keep records containing personal information accurate and current,” says Jones. “For example, if an individual contacts the organisation to ask for their details to be deleted from a mailing list then the necessary steps must be taken to ensure that person does not receive further marketing.”
Bradford suggests creating a suppression list rather than deleting a record completely in this instance. He explains: “If you delete a record and subsequently buy another list of names for marketing purposes you won’t be able to cross check it against any existing data you’ve got and, therefore, you may inadvertently contact someone who has already asked you to stop mailing them.” Again, he says, it comes down to good old-fashioned common sense.
And don’t forget, data decays at an alarming rate. “Regular updating and refreshing is crucial,” says Magson. “Data goes out of date very quickly, so you have to keep on top of this with constant data management – ‘de-dupes’, suppression against ‘goneaways’, the deceased and so on.”
Honesty and Transparency
If you want to make sure you’re complying with the DPA and keeping customers happy and trusting, Castro-Edwards suggests appointing someone who is responsible for data protection across the whole organisation
“They should be responsible for developing outward-looking policies so that you are telling customers what you are doing with their data, as well as policies that look inwards, informing staff what they can and can’t do with customer data.”
Organisations that don’t do this risk being named and shamed, undoing all the hard work they have done collecting the data in the first place.
Once an organisation has a customer’s details on file, transparency is vital. They must be made aware that they may receive marketing information from other parties, so that they are not surprised to receive it and so that the firm can ensure it is relevant. “If organisations fail to be transparent they will alienate customers and waste money on sending marketing communications to people who simply aren’t interested,” says Bradford.
Permission-based marketing is now a must have” for any reputable company. Many organisations still seem reluctant to be completely honest with customers about their intentions for their data, for fear of putting them off providing their details. However, as Castro-Edwards points out, it’s when companies don’t tell customers what they’re doing that DPA breaches are likely to occur.
“You need to tell customers in a user-friendly way what you are intending to do, so they aren’t terrified,” he explains. Bradford agrees: “You need to explain your intentions clearly and give them the opportunity to opt in or opt out. Some firms still hide this kind of information in the small print, but it is important to be clear because you want to build a good relationship with them.
“This is the first stage of the customer’s experience with you so if they tick a box saying they don’t want to receive any marketing communications then it immediately removes someone from the marketing pool who would be annoyed if they did receive the information. Organisations must view this positively rather than seeing it as a negative.”
Jones concurs that it is crucial to be honest with customers about your purposes in gathering their data. “Customers must be aware of how their information will be used and whether it will be passed to a third party,” he says.
Consumer trust is imperative, Magson says: “It is critical to protect and build on consumer trust because so much of what we do depends on their decision to give their data.”
He says: “We marketers need customers’ data, so we should be doing everything we can to encourage that all-important trust.” One way to build trust is to target customers intelligently, ensuring they only receive data that is relevant to them.
While companies are legally bound to be open with customers, Brown believes organisations also have an ethical duty to be open about the data they are collecting and the purposes for which they are going to use it. In short, he says, “be open, be truthful and be consistent”.
Avoiding the Pitfalls
To ensure they don’t fall foul of the regulations and risk the reputation of their brand, marketers must ensure they avoid some common mistakes when it comes to storing or using customer data. These include having weak or non-existent control over access to the data; sharing data without the subject’s consent; not keeping data clean and up to date; and transferring data without encrypting it.
The list is not exhaustive and, ultimately, marketers must adhere to the principles of the DPA and use their common sense when handling data. Brown advises: “Consider the risks associated with the data before considering the necessary protection. And consider what vulnerabilities or weaknesses could make those risks a reality.”
When third parties are involved in the protection of customer data, you should always challenge and assess the security provision they make. “When it comes to customer data, organisations simply can’t be too careful and shouldn’t take anything for granted,” says Brown. “Marketers should get to know the DPA inside and out and ensure its principles are embedded in their organisation.”
It may sound like a lot of drama over what may be just a few e-mail addresses, but as Magson points out: “Without rigorous security policies it’s very easy to get caught out. And as an industry we’d be fools if we didn’t try harder to protect consumer tryst, because we thrive on personal information – data is the lifeblood of marketing.”
As a marketer, you don’t want to be left carrying the can if you company makes the headlines for all the wrong reasons, so make sure you avoid infamy by adhering to best-practice guidelines and working hard to guarantee your customer data is fully compliant.
Dos and Don’ts
- Do keep customers informed about how you are using their data. They won’t thank you for unexpected marketing communications.
- Do ensure you give customers the opportunity to opt out of receiving marketing communications.
- Do understand the intricacies of the Data Protection Act and work within its constraints to ensure best practice.
- Don’t leave your data-filled laptop on the train.
- Don’t pass customer data to a third party without the subject’s consent.
- Don’t keep data on file for longer than is necessary.
- Don’t allow employees to access sensitive customer data unless they need to in order to perform their job.
Tips from the Top
Phil Jones, assistant commissioner at the Information Commissioner’s Office (ICO), highlights some of the key principles of the Data Protection Act.
- Organisations must ensure personal data is processed fairly and securely. Failure to adequately protect personal data can result in personal or sensitive information falling ito the wrong hands and can ultimately damage trust.
- Any data held on customers must be accurate and up to date. ICO research shows almost 70 per cent of organisations are aware of this and we continue to work with those that aren’t, raising awareness of their responsibilities under the Act
- Organisations must only retain information for as long as is necessary in relation to the purposes for which it was initially collected. And if organisations intend to share marketing lists with other companies they should be open with individuals from the outset about how their information will be used and to whole it will be passed.
- Individuals have the right under the Data Protection Act to opt out of providing information for marketing purposes. Organisations must comply with any such request from an individual and be open and clear with consumers when gathering their personal information.
Source: Emily Cubitt, The Marketer November 2008 p. 39-42