The 20 Minute Course in Data Protection

Fastlane

The 20 minute course in... data protection

Do you know where your data came from? Do your customers know you have it

and what you plan to do with it? If the answer is no, you’ve got a problem

The recent raft of high‑profile data gaffes to hit the headlines has brought the

issues of data protection and data storage to the fore. With the media watching

for the next slip up, marketers simply can’t afford to ignore this area if they want

to protect the integrity and reputation of their brand.

Data professionals have traditionally sat behind the scenes, mining data to feed

into the marketing team’s creative plans. But data management is now

increasingly being integrated into the rest of the business as we realise that data

doesn’t only need to be accurate and up to date, but also needs to be gathered

and protected fairly and securely.

While the rules and regulations under the Data Protection Act (DPA) can appear

daunting, the main principles are relatively straightforward. Phil Jones, assistant

commissioner at the Information Commissioner’s Office (ICO), explains:

“Essentially, any organisation that processes and stores personal information

must comply with the eight principles of ‘good information handling’.”

The main principles

These eight principles relate to ensuring personal data is processed honestly

and safely and that it is current and correct. “By following the simple principles of

the DPA, organisations can ensure they retain the confidence and trust of their

customers,” Jones explains. They can also make sure they stay on the right side

of the law.

Mike Bradford, director of regulatory and consumer affairs at Experian, agrees:

“The use of data is all about common sense and optimising relationships with

customers. The DPA gives marketers a sensible framework for marketing

responsibly.” He believes that many organisations start the marketing process by

looking at how they should tackle the DPA, when in fact they should start the

other way round.

“Marketers should look at their customer base and determine how they can

make the most of it. They should then think about how they can do this without

breaching the DPA to build long, profitable relationships.”

Organisations that act responsibly and are clear and transparent about what

they are doing with their customer’s data will ultimately extract the most benefit

"Access to datashould only begranted toindividuals whoneed it in orderto perform their job"

Related articles

Tough line on web datadredgers

Legal: Minding your ownBusiness Online

Inbox: Data Protection

Dos and don’ts

Do keep customers

informed about how you

are using their data.

They won’t thank you for

unexpected marketing

communications.

Do ensure you give

customers the

opportunity to opt out of

receiving marketing

communications.

Do understand the

intricacies of the Data

Protection Act and work

within its constraints to

The 20 minute course in... data protection - The Marketer magazine http://www.themarketer.co.uk/articles/professional-development/fast-la...

1 of 4 15/7/2009 1:40 µµ

from it.

But for many organisations the intricacies of the Act do cause confusion. Nigel

Magson, chairman of Tangible Data, points out: “Even experienced data

marketers and lawyers are struggling to get clarification on certain

circumstances.” Magson advises marketers to ensure they’re familiar with the

latest legislation, regulations and codes of practice and, he says, “if you are in

any doubt at all, seek professional advice”.

Data storage

The most important element of data storage is security. It is imperative that

customer data does not fall into the wrong hands and that sensitive, personal

information is not compromised. Once that happens, it can be nigh on impossible

for any brand to regain its customers’ trust and rebuild its relationship with them.

“You need to control secure access, especially if multiple parties are going to be

using the data,” explains Magson. “Encrypted technology is now prolific, with

security passwords for data access and varying levels of functionality. This

allows different people to have differing access levels depending on what they

need to do with the data.”

Access to data should not be given to just anyone within an organisation and

should only be granted to individuals who need access in order to perform their

job. Michael Brown, group security manager at Callcredit Information Group,

explains: “Databases must be protected by both physical and logical security,

and access should be restricted to those with legitimate need. In addition,

access and usage should be monitored, and people with legitimate access

should be trained and supported in using the data appropriately.”

Bradford believes there should also be an audit trail, so that if any data is

compromised it can be traced both internally and externally. While there is some

disagreement about how sensitive different elements of data are – and therefore

what level of protection they require – Bradford advises that all data should be

treated sensitively, because even name and address data could be powerful in

the wrong hands.

And don’t forget to ditch data you no longer need. James Castro-Edwards, a

solicitor for Speechly Bircham LLP, notes that because the DPA stipulates that

data should not be stored for longer than is necessary, it is important to “operate

an effective data retention policy and delete data after a certain period”. The

timescale for this will depend on the nature of the data that has been collected

and its use.

Keeping data fresh

Under the DPA, organisations must “ensure systems are in place to keep

records containing personal information accurate and current,” says Jones. “For

example, if an individual contacts the organisation to ask for their details to be

deleted from a mailing list then the necessary steps must be taken to ensure that

person does not receive further marketing.”

Bradford suggests creating a suppression list rather than deleting a record

completely in this instance. He explains: “If you delete a record and subsequently

buy another list of names for marketing purposes you won’t be able to cross

check it against any existing data you’ve got and, therefore, you may

inadvertently contact someone who has already asked you to stop mailing them.”

Again, he says, it comes down to good old-fashioned common sense.

And don’t forget, data decays at an alarming rate. “Regular updating and

refreshing is crucial,” says Magson. “Data goes out of date very quickly, so you

have to keep on top of this with constant data management – ‘de-dupes’,

suppression against ‘goneaways’, the deceased and so on.”

Honesty and transparency

ensure best practice.

Don't pass customer

data to a third party

without the subject’s

consent.

Don't keep data on file

for longer than is

necessary.

Don't allow employees

to access sensitive

customer data unless

they need to in order to

perform their job.


2 of 4 15/7/2009 1:40 µµ

If you want to make sure you’re complying with the DPA and keeping customers

happy and trusting, Castro-Edwards suggests appointing someone who is

responsible for data protection across the whole organisation.

“They should be responsible for developing outward-looking policies so that you

are telling customers what you are doing with their data, as well as policies that

look inwards informing staff what they can and can’t do with customer data.”

Organisations that don’t do this risk being named and shamed, undoing all the

hard work they have done collecting the data in the first place.

Once an organisation has a customer’s details on file, transparency is vital. They

must be made aware that they may receive marketing information from other

parties, so that they are not surprised to receive it and so that the firm can

ensure it is relevant. “If organisations fail to be transparent they will alienate

customers and waste money on sending marketing communications to people

who simply aren’t interested,” says Bradford.

Permission-based marketing is now a “must have” for any reputable company.

Many organisations still seem reluctant to be completely honest with customers

about their intentions for their data, for fear of putting them off providing their

details. However, as Castro-Edwards points out, it’s when companies don’t tell

customers what they’re doing that DPA breaches are likely to occur.

“You need to tell customers in a user ‑friendly way what you are intending to do,

so they aren’t terrified,” he explains. Bradford agrees: “You need to explain your

intentions clearly and give them the opportunity to opt in or opt out. Some firms

still hide this kind of information in the small print, but it is important to be clear

because you want to build a good relationship with them.

“This is the first stage of the customer’s experience with you so if they tick a box

saying they don’t want to receive any marketing communications then it

immediately removes someone from the marketing pool who would be annoyed

if they did receive the information. Organisations must view this positively rather

than seeing it as a negative.”

Jones concurs that it is crucial to be honest with customers about your purpose

in gathering their data. “Customers must be aware of how their information will

be used and whether it will be passed to a third party,” he says.

Consumer trust is imperative, Magson says: “It is critical to protect and build on

consumer trust because so much of what we do depends on their decision to

give their data.”

He says: “We marketers need customers’ data, so we should be doing

everything we can to encourage that all-important trust.” One way to build trust

is to target customers intelligently, ensuring they only receive data that is

relevant to them.

While companies are legally bound to be open with customers, Brown believes

organisations also have an ethical duty to be open about the data they are

collecting and the purposes for which they are going to use it. In short, he says,

“be open, be truthful and be consistent”.

Avoiding the pitfalls

To ensure they don’t fall foul of the regulations and risk the reputation of their

brand, marketers must ensure they avoid some common mistakes when it

comes to storing or using customer data. These include having weak or

non-existent control over access to the data; sharing data without the subject’s

consent; not keeping data clean and up to date; and transferring data without

encrypting it.

The list is not exhaustive and, ultimately, marketers must adhere to the principles

of the DPA and use their common sense when handling data. Brown advises:

Tips from the top

Phil Jones, assistant

commissioner at the

Information

Commissioner’s Office

(ICO), highlights some of

the key principles of the

Data Protection Act

Organisations must

ensure personal data

is processed fairly and

securely. Failure to

adequately protect

personal data can result

in personal or sensitive

information falling into

the wrong hands and can

ultimately damage trust.

Any data held on

customers must be

accurate and up to

date. ICO research

shows almost 70 per

cent of organisations are

aware of this and we

continue to work with

those that aren’t, raising

awareness of their

responsibilities under the

Act.

Organisations must

only retain information

for as long as is

necessary in relation

to the purposes for

which it was initially

collected. And if

organisations intend to

share marketing lists

with other companies

they should be open with

individuals from the

outset about how their

information will be used

and to whom it will be

passed.

Individuals have the

right under the Data

Protection Act to opt

out of providing

information for

marketing purposes.

Organisations must

comply with any such

request from an


3 of 4 15/7/2009 1:40 µµ

“Consider the risks associated with the data before considering the necessary

protection. And consider what vulnerabilities or weaknesses could make those

risks a reality.”

When third parties are involved in the protection of customer data, you should

always challenge and assess the security provision they make. “When it comes

to customer data, organisations simply can’t be too careful and shouldn’t take

anything for granted,” says Brown. “Marketers should get to know the DPA

inside out and ensure its principles are embedded in their organisation.”

It may sound like a lot of drama over what may be just a few e-mail addresses,

but as Magson points out: “Without rigorous security policies it’s very easy to get

caught out. And as an industry we’d be fools if we didn’t try harder to protect

consumer trust, because we thrive on personal information – data is the lifeblood

of marketing.”

As a marketer, you don’t want to be left carrying the can if your company makes

the headlines for all the wrong reasons, so make sure you avoid infamy by

adhering to best-practice guidelines and working hard to guarantee your

customer data is fully compliant.

Are you ready to gather customer data?

• You are aware of the rules and regulations

under the DPA and ensure all your company’s data is processed fairly and

securely and is kept accurate and up to date

• You look at ways of optimising your customer database to build long‑term

profitable relationships and you view the DPA as a sensible framework to help

you achieve this.

• You understand that the security of your data is paramount and take all

the necessary steps to ensure your data doesn’t fall into the wrong hands. In

terms of security you don’t take anything for granted.

• You believe in transparency and work hard to ensure your customers know

exactly what you are planning to do with their data, while ensuring you give them

the opportunity to opt out of receiving marketing communications from you.

• You understand the importance of data to the overall marketing process

and therefore strive to work within the confines of the DPA in order to boost

customer trust and, ultimately, safeguard the future of the industry.

Emily Cubitt is a freelance journalist who writes for titles including Precision

Marketing

individual and be open

and clear with

consumers when

gathering their personal

information.


4 of 4 15/7/2009 1:40 µµ

Documents

The 20 Minute Course in Data Protection