Tag Archives: data

ICO updates Subject Access Requests (SARs) advice for data controllers following Court of Appeal decisions

Leave a reply

The Information Commissioner’s Office (ICO) has updated its ‘Code of Practice on Subject Access Requests’ chiefly in response to several Court of Appeal decisions made earlier this year related to SARs. Under the Data Protection Act 1998, individuals (‘data subjects’) may request access to their personal information held by a ‘data controller.’

These requests for information are called SARs, and can range from the request for specific or limited information to the request for the entirety of held information including why it is held and to whom it may have been disclosed. The scope of a data controller’s obligations, therefore, will vary from case to case, and will be particularly burdensome for large organisations. Currently, data controllers may charge a fee of up to £10 for processing a SAR, and must provide the requester the relevant information within 40 calendar days. When the GDPR comes into force next year, data controllers will normally not be entitled to charge a fee, irrespective of the inconvenience, and will be expected to provide the information within a shorter timeframe of 30 calendar days.

However, the ICO has revised its guidance in dealing with SARs to prepare controllers for data compliance in light of the Court of Appeal’s judgements on a string of cases in which SARs took place alongside ongoing or threatened litigation – cases which in the opinion of numerous legal commentators, therefore, highlight the potential for widespread abuse of SARs to redress grievances outside the purview of data protection law.

The three key changes to the ICO’s Code

  1. Scope for assessing ‘disproportionate effort’

The DPA includes an exemption from having to respond to SARs if this would involve ‘disproportionate effort’ for the data controller. Whereas the Code previously indicated that a refusal to provide information on the grounds of it being difficult is unacceptable, it now, with greater lenience, states: “there is scope for assessing whether, in the circumstances of a particular case, supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.” The ICO expects controllers to evaluate the benefits to the data subject as a result of the SAR against the difficulties in complying with the request, and assess whether the scope of the request is reasonable.

  1. Dialogue between controller and requester

The ICO now advises controllers to enter into dialogue with data subjects following a SAR. This may allow the requester to specify which information they require, thereby refining the request, and making the process more manageable and less likely to result in disproportionate effort. The Code continues to explain how it will take into account both controller’s and subject’s willingness to participate in this dialogue if they receive a complaint about the handling of a SAR.

  1. Information management systems and redaction of third-party data

 The ICO now expects controllers to have information management systems wherein personal information, including archived or back-up data, can be found expediently in anticipation of a SAR. Moreover, the information management system should allow for the redaction of third-party data. This is important, since certain SARs may be declined if the information requested would result some way in the disclosure of personal information about another living person.

Subject Access Requests: For more information have a look at the 4 Court of Appeal decisions that informed the ICO’s revised guidance:  Dawson-Damer v Taylor Wessing LLP, Ittihadieh v 5-11 Cheyne Gardens, Deer v Oxford University, Holyoake v Candy

Harry Smithson 7th July 2017

Weekly Roundup: Global Cyber-Attack, Google Scan Emails, Political Party Under Investigation, Nuisance Calls Fine

Leave a reply

Malware outbreak in 64 countries, Google scrap email scans, and the Conservative Party face ‘serious allegations’

Global cyber-attack disrupts companies in 64 countries

Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

 

Google to stop scanning Gmail accounts for personalised marketing data

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

  • Paid canvassing on behalf of Conservative election candidates – banned under election law.
  • Political cold calling to prohibited numbers
  • Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

Harry Smithson 28 June 2017

Insider Threats – Charlotte’s View

1 Reply

Insider Threats – Charlotte’s View

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

If you’re interested in online training have a look at this video.

 

charlotte

Written by Charlotte Seymour, November 2016

 

Safe Harbor – how does it work?

1 Reply

safe harbor pic

The Data Protection Act 1998 prohibits the transfer of personal data to non-European Union countries unless those countries meet the EU “adequacy” standard for privacy protection. Although both the US and EU profess to similar goals of protecting individuals’ privacy, their actual approaches are quite different.

As a result, the US Department of Commerce consulted with the European Commission, and developed the “Safe Harbor” framework – a cross-border data transfer mechanism that complies with European data protection laws and allows businesses to move personal data from the EU to the United States.  There is a similar but separate framework between the US and Switzerland.

To join the Safe Harbor framework, a company self-certifies to the Department of Commerce that it complies with seven data privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and that it meets the EU adequacy standard.  This self-certification needs to be renewed annually.  If a company fails to complete the annual re-certification process in time, the organisation’s certification is changed to “not current”.

The Federal Trade Commission addresses any violations – indeed on 21st January 2014, the FTC identified twelve companies who claimed in their marketing material that they currently complied with the US – EU Safe Harbor Framework, but who had allowed their certification to expire.  The twelve companies range from technology, consumer products and accounting – as well as National Football League teams.

To “set an example” and to help ensure the ongoing integrity of the Safe Harbor framework, the twelve companies have been prohibited from misrepresenting the extent to which they participate in any privacy or security programme sponsored by the government or any other self-regulatory or standard-setting organisation (including the Safe Harbor Framework).

It is worth noting that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in that an organisation must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbour Frameworks for as long as the organisation stores, uses or discloses the data, even if the organisation has left the Safe Harbor.

There is a Safe Harbor list, which anybody can check to verify an organisation’s status:   https://safeharbor.export.gov/list.aspx

If you are planning to transfer data between the EU and the US, and would like us to help you, just call Michelle or Victoria on 01787 277742 or email victoria@tuffillverner.co.uk or michelle@tuffillverner.co.uk

Data Compliance – Monthly Round-Up

Leave a reply

September 2013 Round-up

Information Commissioner toughens up Direct Marketing Guidelines

data compliance consentThis month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent.  Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid.  Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy.  Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers.  It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

telemarketingThe Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls.  The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator.  The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls.  DM Design, was fined £90,000.  In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims.  These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area.  For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

If you have any concerns over how to ensure your telemarketing is compliant, please contact Victoria – victoria@tuffillverner.co.uk

Encryption: do you understand the  options available and how you can use them?

data protection encryptionThe Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation.  If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Keyboard - blue key AccessFollowing the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important.  After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

If you are unclear of your obligations and would like advice on the matter, do contact michelle@tuffillverner.co.uk

Do your employees work from home?  Or use a smartphone?

istock multi media croppedIt is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure.  It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office.  If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information.  Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.

victoria@tuffillverner.co.uk   01787 277742 / 07967 148398

michelle@tuffillverner.co.uk   01206 392909 / 07760 257427

Data Protection Compliance – who cares?

1 Reply

iStock_000025097331XSmall

More than half the UK population cares enough to bother to start using tick boxes and opt-outs.  And then, of course, there is the Information Commissioner’s Office … they certainly care.  There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.

What is the Data Protection Act anyway?

That’s why we have The Data Protection Act 1998.  It establishes a framework designed to keep yours and my personal data safe.  And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information.  There are  a very few exemptions.  To date, over 370,000 organisations are registered.

The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details.  This balancing act is complex and can be hard to understand.

In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.

Do I have to comply?

The answer is YES.  Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant.  Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data.  And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.

The consequences of non-compliance

handcuffs and money computerIt is progressively unlikely that companies can “get away with” non-compliance.  UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.

  • Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned.  Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines.  For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on.  At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
  • Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints.  In this case, all publicity is absolutely not good publicity.
  • Subject access requests – non-compliance can result both in fine and compensation claims
  • Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
  • Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used.  In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases.  In either event this can be costly – both in terms of original collection costs and lost revenue

To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.

The Eight Principles of Data Compliance

The Information Commissioner’s Office summarises the principles of data compliance very clearly:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For point 1 above, Schedule 2 examples include:

  • The individual whose personal data is being processed has consented to the processing
  • The processing is necessary in relation to a contract into which the individual has entered or is about to enter
  • The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
  • The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)

The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.

How do I comply?

There are a number of considerations in relation to data compliance, including, among the main areas:

  • Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
  • Principles – follow the data protection principles when handling personal information
  • Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
  • Security – this is a vital area, and covers computers, systems and staff.  In summary, it is  vital to

keep personal data secure whether in storage, in use, or legitimately being shared

make sure that data access is restricted only to those who need access to it

be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed

    • Policies – data governance is an essential part of data compliance.  Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
    • Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them.  You must provide the information requested within 40 days, and may charge a fee of up to £10.  Schools and health authorities operate on a sliding scale up to a maximum of £50.  It is helpful to log and monitor such subject access requests
    • Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
    • Training – it is essential that employees and those with access to personal information are fully trained in data compliance.  Employee negligence is a significant factor in terms of data and IT security breaches.  Effective training mitigates the risk of unwitting breaches.
    • Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK.  Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.

Keeping your Marketing Compliant

Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.

It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business.  But it can be a tricky area to navigate.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.

Data … big data? Or back to the Dark Ages

Leave a reply

Back in the 80s, there was this thing called “junk mail”.  And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling.  And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer.  A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests.  Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes …. 

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out.  It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings.  Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data.  (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures.  Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

  1. Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action.  In practice this means that where consent is required, organisations must ask for permission to process data.  Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls.  Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.
  2. The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety.  This is entirely impractical.  Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished.  So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.
  3. Profiling or segmentation may not take place without consent.  This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.
  4. List broking is likely to require significant changes to comply with new legislation.
  5. The definition of personal data has been extended to include, potentially, IP addresses and some cookies.  Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity.  The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.
  6. Cost:  DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales.  These costs come, in part, from:
  • Companies with 250 or more employees will need to appoint a data protection officer
  • Under current legislation, subject access requests can be charged at £10 each.  Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests.  In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.
  • Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours
  • Right to compensation from the controller or the processor in the event of processing activity causing damage to a person
  • Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak.  But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement  before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now.  There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd.     So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are.   We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please  just “reply” below. Victoria Tuffill – victoria@tuffillverner.co.uk   01787 277742 or  07967 148398.   Feel free to visit our website.  And yes, we’re on Linked In, and Twitter