Data Compliance – Monthly Round-Up

Leave a reply

September 2013 Round-up

Information Commissioner toughens up Direct Marketing Guidelines

data compliance consentThis month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent.  Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid.  Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy.  Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers.  It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

telemarketingThe Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls.  The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator.  The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls.  DM Design, was fined £90,000.  In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims.  These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area.  For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

If you have any concerns over how to ensure your telemarketing is compliant, please contact Victoria – victoria@tuffillverner.co.uk

Encryption: do you understand the  options available and how you can use them?

data protection encryptionThe Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation.  If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Keyboard - blue key AccessFollowing the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important.  After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

If you are unclear of your obligations and would like advice on the matter, do contact michelle@tuffillverner.co.uk

Do your employees work from home?  Or use a smartphone?

istock multi media croppedIt is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure.  It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office.  If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information.  Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.

victoria@tuffillverner.co.uk   01787 277742 / 07967 148398

michelle@tuffillverner.co.uk   01206 392909 / 07760 257427

Data Protection – Security Basics

Leave a reply

iStock_000019241383SmallData Security

This article has been written to help companies, particularly SMEs, understand the significance and importance of strong data security and excellent staff training, specifically in relation to data protection compliance within their own businesses when dealing with personal and sensitive data.

Apart from the obvious necessity to keep your premises physically secure, and shred any confidential paperwork, there are four main areas covered by this article:

  1. Computer Security
  2. Encryption
  3. Emails
  4. Staff Training

Computer security

Protecting your computers and computer networks includes a number of steps, which can be relatively simple and straightforward to implement.  As is often the way, anything is simple if you know what to do and how to do it.  For example, simple security steps include:

  • Protection  Installing firewalls and virus-checking tools
  • Updates Keeping the operating system updated automatically ongoing
  • Security updates Staying aware of the latest security patches and updates, and downloading when available
  • Anti-spyware   Consider installing anti-spyware tools (to prevent hostile individuals from monitoring your computer activity, and from making malicious attacks against you.
  • Back-ups are an essential part of computer hygiene – regular backups should be taken and kept separately so that if your computers are lost, you still have the information available.
  • Disposal  When you get rid of a computer, it is vital to ensure that all personal information before you move it on.  I always remove the hard drive, and smash it into small pieces – which is probably overkill, but it works for me!  There are other “technical” solutions, but I prefer to  destroy the hard drive and know that it’s gone for ever.
  • Spam filters  Ensure that you either have spam filters on your computers or that you use an email provider that offers this service.

Encryption

If sensitive personal information is stolen or lost, it is highly likely to cause damage or distress.  To minimise the risk of disclosure, any such personal information really should be encrypted.  The truth is that login usernames and passwords offer only minimal protection – absolutely not enough to protect against illegal – or simply unauthorised – access. It is also worth remembering that enormous volumes of data can now be stored on tiny devices from memory sticks to smartphones.

Encryption can be a tricky area, so if you are uncertain of how encryption works, or the strengths and weaknesses of various types of encryption, Tony Schiffman can provide useful advice on how to keep your information secure.    Just drop him a line at tony@datacompliant.co.uk

email security

Writing, sending and receiving emails is now taken for granted as just a part of everyday life.  This may be why there are so many varied opportunities for error and carelessness. Some of the most common issues are summarised below:

  • if the contents of an email are sensitive, the email should be encrypted or password protected.
  • when you start to type in the name of the recipient, your software may automatically suggest similar addresses which you have used before. For example, I have a few Johns in my address book whom I email regularly. Each time, the auto-complete function offers me several Johns and I have to force myself to remember to check that I have picked up the right address before clicking “send”.
  • Group email addresses are a useful tool, but it is always worth double-checking who is included within the group and be certain that you eliminate anybody who should not receive your message.
  • If you want to copy someone on an email, but don’t want to share their email address, use the bcc function rather than the cc.  When you use cc, all recipients will be able to see he email addresses of all other recipients to whom the email was sent.

Interesting (if irrelevant) note –we still use the term cc, which stands for carbon copy – going back to the days of typewriters when a sheet of coated carbon paper was placed between two or more sheets of paper. The pressure of the typewriter keys on the carbon papers would cause the ink to be transferred to the additional sheet(s) of paper, thus providing carbon copies.  Bcc, of course, stands for blind carbon copy.

  • When sending a sensitive email from a secure server to a recipient whose server is insecure, the security of that email will be jeopardised.  Always check the security of your recipient’s server / provider before sending your message.
  • Use spam filters on your computers, or use an email provider that offers spam filtering services.

Staff Training

Training your staff to keep data secure is also vital.  Staff can be held responsible for data compliance breaches and may sue their company if they have not been given essential training.

Did you know that your staff can be prosecuted if they deliberately give out personal details without permission?  So it’s essential that their access to personal or sensitive data is limited purely to what they need to do their job, and they are trained to understand what they can and cannot do.  For example:

  • Discretion  Your staff may receive enquiries from people who are trying to obtain personal details dishonestly – teach them how to handle such enquiries so that they cannot be tricked into providing inappropriate information.
  • Passwords  Ensure your staff use strong passwords.  The longer the better, and greater strength can be gained by combining letters, numbers, punctuation and other special characters, while using both upper and lower case letters.
  • Confidentiality  It is, of course, essential that members of staff do not share their passwords or knowledge of sensitive or personal data with colleagues or friends.
  • Professionalism   Staff members should be trained to be professional in their communications, and avoid any offensive communications, emails, or inappropriate dissemination of the details of other people or their private lives.  They must be trained to understand that their inappropriate behaviour can bring your business into disrepute.
  • Spam  They should not open spam – not even to unsubscribe or ‘request no further mailings’.  If you do not have spam filters on your computers, when they receive spam, your staff members should be instructed that, when they receive spam, the email should be deleted.
  • Financial information  They should be taught not to believe emails that appear to come from a bank or building society that asks for account or credit card details or password information

If you would like to discuss staff training with Data Compliant, please contact victoria@datacompliant.co.uk

Data Breaches

Data security falls into a number of areas.  Based on the ICO’s stated data breaches from April to July 2013, it is clear that security and staff training are critical elements in protecting the personal data you hold.  The types of breach noted during that period are illustrated in the diagram below.  It is notable just how significant security and staff training are in the prevention of protecting personal and sensitive data.

Data breaches by incident type April to June 2013

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance, security or governance needs, please contact Victoria or Michelle on 01787 277742 or by email – victoria@datacompliant.co.uk  or michelle@datacompliant.co.uk

Data Protection Compliance – who cares?

1 Reply

iStock_000025097331XSmall

More than half the UK population cares enough to bother to start using tick boxes and opt-outs.  And then, of course, there is the Information Commissioner’s Office … they certainly care.  There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.

What is the Data Protection Act anyway?

That’s why we have The Data Protection Act 1998.  It establishes a framework designed to keep yours and my personal data safe.  And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information.  There are  a very few exemptions.  To date, over 370,000 organisations are registered.

The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details.  This balancing act is complex and can be hard to understand.

In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.

Do I have to comply?

The answer is YES.  Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant.  Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data.  And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.

The consequences of non-compliance

handcuffs and money computerIt is progressively unlikely that companies can “get away with” non-compliance.  UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.

  • Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned.  Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines.  For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on.  At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
  • Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints.  In this case, all publicity is absolutely not good publicity.
  • Subject access requests – non-compliance can result both in fine and compensation claims
  • Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
  • Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used.  In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases.  In either event this can be costly – both in terms of original collection costs and lost revenue

To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.

The Eight Principles of Data Compliance

The Information Commissioner’s Office summarises the principles of data compliance very clearly:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For point 1 above, Schedule 2 examples include:

  • The individual whose personal data is being processed has consented to the processing
  • The processing is necessary in relation to a contract into which the individual has entered or is about to enter
  • The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
  • The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)

The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.

How do I comply?

There are a number of considerations in relation to data compliance, including, among the main areas:

  • Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
  • Principles – follow the data protection principles when handling personal information
  • Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
  • Security – this is a vital area, and covers computers, systems and staff.  In summary, it is  vital to

keep personal data secure whether in storage, in use, or legitimately being shared

make sure that data access is restricted only to those who need access to it

be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed

    • Policies – data governance is an essential part of data compliance.  Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
    • Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them.  You must provide the information requested within 40 days, and may charge a fee of up to £10.  Schools and health authorities operate on a sliding scale up to a maximum of £50.  It is helpful to log and monitor such subject access requests
    • Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
    • Training – it is essential that employees and those with access to personal information are fully trained in data compliance.  Employee negligence is a significant factor in terms of data and IT security breaches.  Effective training mitigates the risk of unwitting breaches.
    • Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK.  Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.

Keeping your Marketing Compliant

Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.

It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business.  But it can be a tricky area to navigate.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.

Data … big data? Or back to the Dark Ages

Leave a reply

Back in the 80s, there was this thing called “junk mail”.  And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling.  And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer.  A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests.  Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes …. 

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out.  It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings.  Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data.  (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures.  Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

  1. Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action.  In practice this means that where consent is required, organisations must ask for permission to process data.  Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls.  Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.
  2. The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety.  This is entirely impractical.  Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished.  So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.
  3. Profiling or segmentation may not take place without consent.  This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.
  4. List broking is likely to require significant changes to comply with new legislation.
  5. The definition of personal data has been extended to include, potentially, IP addresses and some cookies.  Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity.  The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.
  6. Cost:  DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales.  These costs come, in part, from:
  • Companies with 250 or more employees will need to appoint a data protection officer
  • Under current legislation, subject access requests can be charged at £10 each.  Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests.  In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.
  • Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours
  • Right to compensation from the controller or the processor in the event of processing activity causing damage to a person
  • Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak.  But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement  before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now.  There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd.     So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are.   We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please  just “reply” below. Victoria Tuffill – victoria@tuffillverner.co.uk   01787 277742 or  07967 148398.   Feel free to visit our website.  And yes, we’re on Linked In, and Twitter