Category Archives: General Information

Electronic Communications – ICO Updates March 2014

Leave a reply

Last week, the Information Commissioner’s Office issued PECR guidelines with updates that are very much in line with the presentations they gave at the ICO conference on March 3rd. The changes impact marketing in two key areas:

Time Limits for Consent – the new guide states that there is “no fixed time limit” in relation to the validity of consent between consent being obtained and the first contact being made.

Essentially, the period between consent and first contact depends on two main areas

  • the expectation of the customer
  • the context under which consent was obtained.

The new PECR guidelines reflect this interpretation stating:  “consent … will remain valid as long as it is still reasonable to treat it as an ongoing indication of the person’s current wishes.”  At the conference, the ICO stated that, for example in the case of annual renewals, “it is reasonable that consent may be relied upon 12 months after consent was obtained”. However, during the same presentation the ICO categorically stated that they do not accept the concept of indefinite 3rd party consent.  This position is included within the new guidelines by “…even if consent is not withdrawn, it will become less reliable as time passes.”

Third party mailing list – there is a tricky area within the whole area of use of a third party mailing list for emails, texts and automatic telephone calls.  PECR requires that the customer has notified the data user that he or she consents specifically to the user’s message.  Indirect consent, of course, does not meet that requirement as the consumer has not notified the data user – he or she has notified a third party.

Although it is best practice to send marketing texts or emails only where you have yourself obtained consent, the ICO has made it clear that use of third party mailing lists can be acceptable, as long as:

  • the third party has made absolutely clear and transparent the use to which the data is to be put.   “In essence the customer must have anticipated that their details would be passed to you and that they were consenting to messages from you. “
  • you as the data user are cautious and carry out due diligence, seeking evidence that consent covers your organisation and the medium through which you want to communicate – email, text and automated calls each require specific consent for that specific communication channel.

Within the ICO, there is a small team investigating PECR breaches and taking appropriate complaint-based actions, which range from civil monetary penalties,  enforcement orders, criminal prosecution, and publication of who has been prosecuted and why.  

At the Conference, the ICO shared information on the number of PECR investigations which are taking or have taken place.

To date 296,000 concerns have been reported, as a result of which just 7 monetary penalty notices have been served.  In addition, there have been 11 formal undertakings, 19 enforcement notices and – as at 3 March – there were 79 investigations ongoing. 

The number of fines is low because ,in order to levy a monetary fine, “substantial damage” must  be caused by the breach – and the impact of a text message is not generally enough to trip businesses into the area of monetary penalties.
There is a proposal to lower the PECR threshold, and the expectation is that we can expect to see some sort of legislative change by the end of the year.

It is clear from the seriousness with which the ICO treats PECR breaches, that the ICO, like the recently approved EU Data Protection regulations, is trying to put the individual back in control of their own data.  And, for those of us who believe that targeted ‘one-to-one’ marketing is the way to the future, surely making sure that a prospect really wants to receive your message is not such a bad thing?

If you have any concerns over the changes to PECR guidelines, or would like to discuss your business’s personal data compliance and security, please call us on 01787 277742, or email victoria@datacompliant.co.uk

EU Parliament votes in favour of Data Protection amendments …

1 Reply
EU Parliament DP regs vote

EU Parliament DP regs vote

The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee.  An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).

What does that mean to UK businesses? 

Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.

However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.

The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.

Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs

BUSINESS ADVANTAGES

While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.

A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws.  According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.

One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates.  The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.

While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country.  The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction.  This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.

Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within.  Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field.  In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.

BUSINESS DISADVANTAGES

However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:

Right to erasure  – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines.  However, the right to erasure does not apply where there is a legitimate reason to keep data within a database.  And the right to erasure may not encroach on the freedom of expression and information of the media.

Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data.  Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.

However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”.  The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data.  If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.

This is likely to have a significant impact businesses – research from fast.map shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out.  Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided.  It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value.  Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.

Profiling – the use of profiling is widespread among UK businesses and direct marketers.  The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling.  There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc).  The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.

Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.

Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue.  Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.

Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape.  Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.

If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.

Safe Harbor – how does it work?

1 Reply

safe harbor pic

The Data Protection Act 1998 prohibits the transfer of personal data to non-European Union countries unless those countries meet the EU “adequacy” standard for privacy protection. Although both the US and EU profess to similar goals of protecting individuals’ privacy, their actual approaches are quite different.

As a result, the US Department of Commerce consulted with the European Commission, and developed the “Safe Harbor” framework – a cross-border data transfer mechanism that complies with European data protection laws and allows businesses to move personal data from the EU to the United States.  There is a similar but separate framework between the US and Switzerland.

To join the Safe Harbor framework, a company self-certifies to the Department of Commerce that it complies with seven data privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and that it meets the EU adequacy standard.  This self-certification needs to be renewed annually.  If a company fails to complete the annual re-certification process in time, the organisation’s certification is changed to “not current”.

The Federal Trade Commission addresses any violations – indeed on 21st January 2014, the FTC identified twelve companies who claimed in their marketing material that they currently complied with the US – EU Safe Harbor Framework, but who had allowed their certification to expire.  The twelve companies range from technology, consumer products and accounting – as well as National Football League teams.

To “set an example” and to help ensure the ongoing integrity of the Safe Harbor framework, the twelve companies have been prohibited from misrepresenting the extent to which they participate in any privacy or security programme sponsored by the government or any other self-regulatory or standard-setting organisation (including the Safe Harbor Framework).

It is worth noting that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in that an organisation must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbour Frameworks for as long as the organisation stores, uses or discloses the data, even if the organisation has left the Safe Harbor.

There is a Safe Harbor list, which anybody can check to verify an organisation’s status:   https://safeharbor.export.gov/list.aspx

If you are planning to transfer data between the EU and the US, and would like us to help you, just call Michelle or Victoria on 01787 277742 or email victoria@tuffillverner.co.uk or michelle@tuffillverner.co.uk

NHS … patient data … what’s next?

1 Reply

According to the ICO, there were 388 data breaches relating to health data in the first nine months of 2013.  That is 34% of all the data breaches in the UK during the same period, and the proportion has increased from 27% at the end of March to 38% by the end of September 2013.  The chart below compares the number data breach levels by industry sector over the same period.  Given the sensitivity of the health data held by medical organisations in this country, those are shocking statistics.Data breaches by sector to Sept 30 2013

Centralised medical records database

Despite this poor track record, very soon the NHS is going to combine all our medical records into one massive database. Every GP practice in the UK will shortly begin to disclose their patients’ personal and sensitive data to care.data at the Health and Social Care information Centre (HSCIC).  The process is monthly, automatic, and assumes patient consent unless patients actively opt out – which is not necessarily a simple process.

nhs databaseSo what does this mean to patients?  Essentially, personal confidential data (PCD) such as family history, vaccinations, diagnoses, referrals, blood pressure, BMI, cholesterol and NHS prescriptions and more will be extracted from GP systems and shared with care.data.

In order to match data from the GP surgeries with data acquired by the HSCIC from other sources (such as hospitals) identifying data such as data of birth, postcode, NHS number and gender will be included within the data extracts.  Once matched across all the data sources, the data is pseudonymised (ie identifying characteristics are removed).

Once an individual is flagged as “deceased” no further data will be collected – though the data already provided will continue to be processed by the HSCIC.

medical data chartsWhat are the benefits?

If it were possible to trust the security and intentions of those collecting the data, there are some fantastic potential benefits, for example improved patient care; the effective prevention, treatment and management of illness; hospital performance, management of NHS resources; or the analysis and understanding of specific treatment benefits; even planning new health services.

What are the risks?

The poor track record of the NHS in terms of protecting our medical data is alarming and raises concerns over confidentiality of our medical records.  In addition, there are increasing numbers of private companies who provide services to the NHS, from physiotherapists to care homes; from private hospitals to insurance companies.  Members of the public are likely to be uneasy about private companies benefiting from their health data, and equally concerned that their GP will no longer be the “gatekeeper” of their confidential medical data.

Furthermore, although the data will be pseudonymised, single-minded analysts may undoubtedly try and will probably succeed to some degree in finding a way of matching the data against other commercial data sets to “re-identify” the individuals.

Who can use the data?

The data can be released for five listed reasons:  health intelligence, health improvement, audit, health service research and service planning. That’s a pretty broad spectrum, and it is evident that the number and range of potential customers for this centralised database of our medical records is enormous.

For example, how long it will be before insurers persuade the HSCIC that it is to the benefit of the health and social care system that they should model and predict medical claims rates based on the UK’s centralised medical database, and use the findings to price their medical insurance policies accordingly.

Can GP practices opt out?

Doctor Data ControllerThe Health and Social Care Act 2012 creates a statutory obligation for GP practices to disclose the information as directed.  GPs are unable to refuse to do so as such refusal would put them in breach of the statutory requirement.

But because the GP practice is actually the “data controller” of their patients’ confidential medical records, GP practices are also responsible for ensuring that their patients’ personal and sensitive data is handled fairly (as defined under the Data Protection Act 1998).

So it is up to GPs to ensure that patients are aware that their data will be shared with the HSCIC, that the HSCIC has powers to extract personal confidential data, and, arguably, what the HSCIC intends to do with the data.

And if a patient claims they were unaware that their data was to be shared, it would be the GP practice who would be investigated by the ICO.

The GP practices remain data controllers of the data they hold within the practice, but are no longer responsible for the data once it has been disclosed to the HSCIC.  Instead the HSCIC and NHS England become joint data controllers who are obliged to comply with the Data Protection Act.  NHS England will determine the “Purpose” for the data collection, while the HSCIC will determine the manner of processing.

How do patients opt out?

Normally one would expect the sharing of data of this sensitivity and confidentiality to be subject to patient opt-in, rather than the NHS assuming consent.  However, the Health and Social Care Act 2012 empowers the HSCIC to require providers (eg your GP practice) to send it personal confidential data when directed to do so.  And the Act overrides the requirement to seek patient consent.

A patient can inform their GP of their wish to opt out, and no reason is required.  It is worth noting that the right to opt out has been implemented as a constitutional rather than a legal right.  Having opted out, it is up to the GP practice to ensure that the right code is appended to the legal record.

However, the patient has no right to prevent his or her medical data leaving the GP practice if such data carries no identifiable information as this is anonymous data rather than personal data.  The question, really, is what is “identifiable information”?  It is DOB? Arguably in some circumstances, it may be.  And surely an NHS number is identifiable information.

The Secretary of State for Health has given a commitment that individuals’ objections to disclosure ot the HSCIC will be respected in “all but exceptional circumstance” (for example, a civil emergency).

Is the process compliant?

You could argue that this data sharing activity defies the second principle of the Data Protection Act:  “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes”.  In my view, you don’t talk to your doctor about a medical condition for any purpose other than to have him solve – or try to solve the problem for you.  And while that may include prescriptions, or visits to consultants, hospitals and clinics, making our medical records data available to commercial organisations cannot possibly be considered the “Purpose”.

Data Protection – Security Basics

Leave a reply

iStock_000019241383SmallData Security

This article has been written to help companies, particularly SMEs, understand the significance and importance of strong data security and excellent staff training, specifically in relation to data protection compliance within their own businesses when dealing with personal and sensitive data.

Apart from the obvious necessity to keep your premises physically secure, and shred any confidential paperwork, there are four main areas covered by this article:

  1. Computer Security
  2. Encryption
  3. Emails
  4. Staff Training

Computer security

Protecting your computers and computer networks includes a number of steps, which can be relatively simple and straightforward to implement.  As is often the way, anything is simple if you know what to do and how to do it.  For example, simple security steps include:

  • Protection  Installing firewalls and virus-checking tools
  • Updates Keeping the operating system updated automatically ongoing
  • Security updates Staying aware of the latest security patches and updates, and downloading when available
  • Anti-spyware   Consider installing anti-spyware tools (to prevent hostile individuals from monitoring your computer activity, and from making malicious attacks against you.
  • Back-ups are an essential part of computer hygiene – regular backups should be taken and kept separately so that if your computers are lost, you still have the information available.
  • Disposal  When you get rid of a computer, it is vital to ensure that all personal information before you move it on.  I always remove the hard drive, and smash it into small pieces – which is probably overkill, but it works for me!  There are other “technical” solutions, but I prefer to  destroy the hard drive and know that it’s gone for ever.
  • Spam filters  Ensure that you either have spam filters on your computers or that you use an email provider that offers this service.

Encryption

If sensitive personal information is stolen or lost, it is highly likely to cause damage or distress.  To minimise the risk of disclosure, any such personal information really should be encrypted.  The truth is that login usernames and passwords offer only minimal protection – absolutely not enough to protect against illegal – or simply unauthorised – access. It is also worth remembering that enormous volumes of data can now be stored on tiny devices from memory sticks to smartphones.

Encryption can be a tricky area, so if you are uncertain of how encryption works, or the strengths and weaknesses of various types of encryption, Tony Schiffman can provide useful advice on how to keep your information secure.    Just drop him a line at tony@datacompliant.co.uk

email security

Writing, sending and receiving emails is now taken for granted as just a part of everyday life.  This may be why there are so many varied opportunities for error and carelessness. Some of the most common issues are summarised below:

  • if the contents of an email are sensitive, the email should be encrypted or password protected.
  • when you start to type in the name of the recipient, your software may automatically suggest similar addresses which you have used before. For example, I have a few Johns in my address book whom I email regularly. Each time, the auto-complete function offers me several Johns and I have to force myself to remember to check that I have picked up the right address before clicking “send”.
  • Group email addresses are a useful tool, but it is always worth double-checking who is included within the group and be certain that you eliminate anybody who should not receive your message.
  • If you want to copy someone on an email, but don’t want to share their email address, use the bcc function rather than the cc.  When you use cc, all recipients will be able to see he email addresses of all other recipients to whom the email was sent.

Interesting (if irrelevant) note –we still use the term cc, which stands for carbon copy – going back to the days of typewriters when a sheet of coated carbon paper was placed between two or more sheets of paper. The pressure of the typewriter keys on the carbon papers would cause the ink to be transferred to the additional sheet(s) of paper, thus providing carbon copies.  Bcc, of course, stands for blind carbon copy.

  • When sending a sensitive email from a secure server to a recipient whose server is insecure, the security of that email will be jeopardised.  Always check the security of your recipient’s server / provider before sending your message.
  • Use spam filters on your computers, or use an email provider that offers spam filtering services.

Staff Training

Training your staff to keep data secure is also vital.  Staff can be held responsible for data compliance breaches and may sue their company if they have not been given essential training.

Did you know that your staff can be prosecuted if they deliberately give out personal details without permission?  So it’s essential that their access to personal or sensitive data is limited purely to what they need to do their job, and they are trained to understand what they can and cannot do.  For example:

  • Discretion  Your staff may receive enquiries from people who are trying to obtain personal details dishonestly – teach them how to handle such enquiries so that they cannot be tricked into providing inappropriate information.
  • Passwords  Ensure your staff use strong passwords.  The longer the better, and greater strength can be gained by combining letters, numbers, punctuation and other special characters, while using both upper and lower case letters.
  • Confidentiality  It is, of course, essential that members of staff do not share their passwords or knowledge of sensitive or personal data with colleagues or friends.
  • Professionalism   Staff members should be trained to be professional in their communications, and avoid any offensive communications, emails, or inappropriate dissemination of the details of other people or their private lives.  They must be trained to understand that their inappropriate behaviour can bring your business into disrepute.
  • Spam  They should not open spam – not even to unsubscribe or ‘request no further mailings’.  If you do not have spam filters on your computers, when they receive spam, your staff members should be instructed that, when they receive spam, the email should be deleted.
  • Financial information  They should be taught not to believe emails that appear to come from a bank or building society that asks for account or credit card details or password information

If you would like to discuss staff training with Data Compliant, please contact victoria@datacompliant.co.uk

Data Breaches

Data security falls into a number of areas.  Based on the ICO’s stated data breaches from April to July 2013, it is clear that security and staff training are critical elements in protecting the personal data you hold.  The types of breach noted during that period are illustrated in the diagram below.  It is notable just how significant security and staff training are in the prevention of protecting personal and sensitive data.

Data breaches by incident type April to June 2013

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance, security or governance needs, please contact Victoria or Michelle on 01787 277742 or by email – victoria@datacompliant.co.uk  or michelle@datacompliant.co.uk

Data Protection Compliance – who cares?

1 Reply

iStock_000025097331XSmall

More than half the UK population cares enough to bother to start using tick boxes and opt-outs.  And then, of course, there is the Information Commissioner’s Office … they certainly care.  There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.

What is the Data Protection Act anyway?

That’s why we have The Data Protection Act 1998.  It establishes a framework designed to keep yours and my personal data safe.  And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information.  There are  a very few exemptions.  To date, over 370,000 organisations are registered.

The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details.  This balancing act is complex and can be hard to understand.

In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.

Do I have to comply?

The answer is YES.  Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant.  Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data.  And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.

The consequences of non-compliance

handcuffs and money computerIt is progressively unlikely that companies can “get away with” non-compliance.  UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.

  • Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned.  Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines.  For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on.  At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
  • Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints.  In this case, all publicity is absolutely not good publicity.
  • Subject access requests – non-compliance can result both in fine and compensation claims
  • Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
  • Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used.  In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases.  In either event this can be costly – both in terms of original collection costs and lost revenue

To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.

The Eight Principles of Data Compliance

The Information Commissioner’s Office summarises the principles of data compliance very clearly:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For point 1 above, Schedule 2 examples include:

  • The individual whose personal data is being processed has consented to the processing
  • The processing is necessary in relation to a contract into which the individual has entered or is about to enter
  • The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
  • The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)

The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.

How do I comply?

There are a number of considerations in relation to data compliance, including, among the main areas:

  • Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
  • Principles – follow the data protection principles when handling personal information
  • Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
  • Security – this is a vital area, and covers computers, systems and staff.  In summary, it is  vital to

keep personal data secure whether in storage, in use, or legitimately being shared

make sure that data access is restricted only to those who need access to it

be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed

    • Policies – data governance is an essential part of data compliance.  Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
    • Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them.  You must provide the information requested within 40 days, and may charge a fee of up to £10.  Schools and health authorities operate on a sliding scale up to a maximum of £50.  It is helpful to log and monitor such subject access requests
    • Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
    • Training – it is essential that employees and those with access to personal information are fully trained in data compliance.  Employee negligence is a significant factor in terms of data and IT security breaches.  Effective training mitigates the risk of unwitting breaches.
    • Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK.  Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.

Keeping your Marketing Compliant

Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.

It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business.  But it can be a tricky area to navigate.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.

Data … big data? Or back to the Dark Ages

Leave a reply

Back in the 80s, there was this thing called “junk mail”.  And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling.  And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer.  A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests.  Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes …. 

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out.  It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings.  Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data.  (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures.  Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

  1. Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action.  In practice this means that where consent is required, organisations must ask for permission to process data.  Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls.  Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.
  2. The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety.  This is entirely impractical.  Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished.  So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.
  3. Profiling or segmentation may not take place without consent.  This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.
  4. List broking is likely to require significant changes to comply with new legislation.
  5. The definition of personal data has been extended to include, potentially, IP addresses and some cookies.  Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity.  The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.
  6. Cost:  DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales.  These costs come, in part, from:
  • Companies with 250 or more employees will need to appoint a data protection officer
  • Under current legislation, subject access requests can be charged at £10 each.  Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests.  In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.
  • Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours
  • Right to compensation from the controller or the processor in the event of processing activity causing damage to a person
  • Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak.  But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement  before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now.  There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd.     So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are.   We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please  just “reply” below. Victoria Tuffill – victoria@tuffillverner.co.uk   01787 277742 or  07967 148398.   Feel free to visit our website.  And yes, we’re on Linked In, and Twitter