More than half the UK population cares enough to bother to start using tick boxes and opt-outs. And then, of course, there is the Information Commissioner’s Office … they certainly care. There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.
What is the Data Protection Act anyway?
That’s why we have The Data Protection Act 1998. It establishes a framework designed to keep yours and my personal data safe. And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information. There are a very few exemptions. To date, over 370,000 organisations are registered.
The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details. This balancing act is complex and can be hard to understand.
In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.
Do I have to comply?
The answer is YES. Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant. Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data. And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.
The consequences of non-compliance
It is progressively unlikely that companies can “get away with” non-compliance. UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.
- Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned. Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines. For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on. At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
- Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints. In this case, all publicity is absolutely not good publicity.
- Subject access requests – non-compliance can result both in fine and compensation claims
- Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
- Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used. In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases. In either event this can be costly – both in terms of original collection costs and lost revenue
To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.
The Eight Principles of Data Compliance
The Information Commissioner’s Office summarises the principles of data compliance very clearly:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
For point 1 above, Schedule 2 examples include:
- The individual whose personal data is being processed has consented to the processing
- The processing is necessary in relation to a contract into which the individual has entered or is about to enter
- The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
- The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)
The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.
How do I comply?
There are a number of considerations in relation to data compliance, including, among the main areas:
- Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
- Principles – follow the data protection principles when handling personal information
- Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
- Security – this is a vital area, and covers computers, systems and staff. In summary, it is vital to
keep personal data secure whether in storage, in use, or legitimately being shared
make sure that data access is restricted only to those who need access to it
be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed
- Policies – data governance is an essential part of data compliance. Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
- Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them. You must provide the information requested within 40 days, and may charge a fee of up to £10. Schools and health authorities operate on a sliding scale up to a maximum of £50. It is helpful to log and monitor such subject access requests
- Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
- Training – it is essential that employees and those with access to personal information are fully trained in data compliance. Employee negligence is a significant factor in terms of data and IT security breaches. Effective training mitigates the risk of unwitting breaches.
- Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK. Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.
Keeping your Marketing Compliant
Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.
It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business. But it can be a tricky area to navigate.
In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B. With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals. We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.
If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.