Upload
anthony-michail
View
217
Download
0
Embed Size (px)
Citation preview
Fastlane
The 20 minute course in... data protection
Do you know where your data came from? Do your customers know you have it
and what you plan to do with it? If the answer is no, you’ve got a problem
The recent raft of high‑profile data gaffes to hit the headlines has brought the
issues of data protection and data storage to the fore. With the media watching
for the next slip up, marketers simply can’t afford to ignore this area if they want
to protect the integrity and reputation of their brand.
Data professionals have traditionally sat behind the scenes, mining data to feed
into the marketing team’s creative plans. But data management is now
increasingly being integrated into the rest of the business as we realise that data
doesn’t only need to be accurate and up to date, but also needs to be gathered
and protected fairly and securely.
While the rules and regulations under the Data Protection Act (DPA) can appear
daunting, the main principles are relatively straightforward. Phil Jones, assistant
commissioner at the Information Commissioner’s Office (ICO), explains:
“Essentially, any organisation that processes and stores personal information
must comply with the eight principles of ‘good information handling’.”
The main principles
These eight principles relate to ensuring personal data is processed honestly
and safely and that it is current and correct. “By following the simple principles of
the DPA, organisations can ensure they retain the confidence and trust of their
customers,” Jones explains. They can also make sure they stay on the right side
of the law.
Mike Bradford, director of regulatory and consumer affairs at Experian, agrees:
“The use of data is all about common sense and optimising relationships with
customers. The DPA gives marketers a sensible framework for marketing
responsibly.” He believes that many organisations start the marketing process by
looking at how they should tackle the DPA, when in fact they should start the
other way round.
“Marketers should look at their customer base and determine how they can
make the most of it. They should then think about how they can do this without
breaching the DPA to build long, profitable relationships.”
Organisations that act responsibly and are clear and transparent about what
they are doing with their customer’s data will ultimately extract the most benefit
"Access to datashould only begranted toindividuals whoneed it in orderto perform their job"
Related articles
Tough line on web datadredgers
Legal: Minding your ownBusiness Online
Inbox: Data Protection
Dos and don’ts
Do keep customers
informed about how you
are using their data.
They won’t thank you for
unexpected marketing
communications.
Do ensure you give
customers the
opportunity to opt out of
receiving marketing
communications.
Do understand the
intricacies of the Data
Protection Act and work
within its constraints to
The 20 minute course in... data protection - The Marketer magazine http://www.themarketer.co.uk/articles/professional-development/fast-la...
1 of 4 15/7/2009 1:40 µµ
from it.
But for many organisations the intricacies of the Act do cause confusion. Nigel
Magson, chairman of Tangible Data, points out: “Even experienced data
marketers and lawyers are struggling to get clarification on certain
circumstances.” Magson advises marketers to ensure they’re familiar with the
latest legislation, regulations and codes of practice and, he says, “if you are in
any doubt at all, seek professional advice”.
Data storage
The most important element of data storage is security. It is imperative that
customer data does not fall into the wrong hands and that sensitive, personal
information is not compromised. Once that happens, it can be nigh on impossible
for any brand to regain its customers’ trust and rebuild its relationship with them.
“You need to control secure access, especially if multiple parties are going to be
using the data,” explains Magson. “Encrypted technology is now prolific, with
security passwords for data access and varying levels of functionality. This
allows different people to have differing access levels depending on what they
need to do with the data.”
Access to data should not be given to just anyone within an organisation and
should only be granted to individuals who need access in order to perform their
job. Michael Brown, group security manager at Callcredit Information Group,
explains: “Databases must be protected by both physical and logical security,
and access should be restricted to those with legitimate need. In addition,
access and usage should be monitored, and people with legitimate access
should be trained and supported in using the data appropriately.”
Bradford believes there should also be an audit trail, so that if any data is
compromised it can be traced both internally and externally. While there is some
disagreement about how sensitive different elements of data are – and therefore
what level of protection they require – Bradford advises that all data should be
treated sensitively, because even name and address data could be powerful in
the wrong hands.
And don’t forget to ditch data you no longer need. James Castro-Edwards, a
solicitor for Speechly Bircham LLP, notes that because the DPA stipulates that
data should not be stored for longer than is necessary, it is important to “operate
an effective data retention policy and delete data after a certain period”. The
timescale for this will depend on the nature of the data that has been collected
and its use.
Keeping data fresh
Under the DPA, organisations must “ensure systems are in place to keep
records containing personal information accurate and current,” says Jones. “For
example, if an individual contacts the organisation to ask for their details to be
deleted from a mailing list then the necessary steps must be taken to ensure that
person does not receive further marketing.”
Bradford suggests creating a suppression list rather than deleting a record
completely in this instance. He explains: “If you delete a record and subsequently
buy another list of names for marketing purposes you won’t be able to cross
check it against any existing data you’ve got and, therefore, you may
inadvertently contact someone who has already asked you to stop mailing them.”
Again, he says, it comes down to good old-fashioned common sense.
And don’t forget, data decays at an alarming rate. “Regular updating and
refreshing is crucial,” says Magson. “Data goes out of date very quickly, so you
have to keep on top of this with constant data management – ‘de-dupes’,
suppression against ‘goneaways’, the deceased and so on.”
Honesty and transparency
ensure best practice.
Don't pass customer
data to a third party
without the subject’s
consent.
Don't keep data on file
for longer than is
necessary.
Don't allow employees
to access sensitive
customer data unless
they need to in order to
perform their job.
The 20 minute course in... data protection - The Marketer magazine http://www.themarketer.co.uk/articles/professional-development/fast-la...
2 of 4 15/7/2009 1:40 µµ
If you want to make sure you’re complying with the DPA and keeping customers
happy and trusting, Castro-Edwards suggests appointing someone who is
responsible for data protection across the whole organisation.
“They should be responsible for developing outward-looking policies so that you
are telling customers what you are doing with their data, as well as policies that
look inwards informing staff what they can and can’t do with customer data.”
Organisations that don’t do this risk being named and shamed, undoing all the
hard work they have done collecting the data in the first place.
Once an organisation has a customer’s details on file, transparency is vital. They
must be made aware that they may receive marketing information from other
parties, so that they are not surprised to receive it and so that the firm can
ensure it is relevant. “If organisations fail to be transparent they will alienate
customers and waste money on sending marketing communications to people
who simply aren’t interested,” says Bradford.
Permission-based marketing is now a “must have” for any reputable company.
Many organisations still seem reluctant to be completely honest with customers
about their intentions for their data, for fear of putting them off providing their
details. However, as Castro-Edwards points out, it’s when companies don’t tell
customers what they’re doing that DPA breaches are likely to occur.
“You need to tell customers in a user ‑friendly way what you are intending to do,
so they aren’t terrified,” he explains. Bradford agrees: “You need to explain your
intentions clearly and give them the opportunity to opt in or opt out. Some firms
still hide this kind of information in the small print, but it is important to be clear
because you want to build a good relationship with them.
“This is the first stage of the customer’s experience with you so if they tick a box
saying they don’t want to receive any marketing communications then it
immediately removes someone from the marketing pool who would be annoyed
if they did receive the information. Organisations must view this positively rather
than seeing it as a negative.”
Jones concurs that it is crucial to be honest with customers about your purpose
in gathering their data. “Customers must be aware of how their information will
be used and whether it will be passed to a third party,” he says.
Consumer trust is imperative, Magson says: “It is critical to protect and build on
consumer trust because so much of what we do depends on their decision to
give their data.”
He says: “We marketers need customers’ data, so we should be doing
everything we can to encourage that all-important trust.” One way to build trust
is to target customers intelligently, ensuring they only receive data that is
relevant to them.
While companies are legally bound to be open with customers, Brown believes
organisations also have an ethical duty to be open about the data they are
collecting and the purposes for which they are going to use it. In short, he says,
“be open, be truthful and be consistent”.
Avoiding the pitfalls
To ensure they don’t fall foul of the regulations and risk the reputation of their
brand, marketers must ensure they avoid some common mistakes when it
comes to storing or using customer data. These include having weak or
non-existent control over access to the data; sharing data without the subject’s
consent; not keeping data clean and up to date; and transferring data without
encrypting it.
The list is not exhaustive and, ultimately, marketers must adhere to the principles
of the DPA and use their common sense when handling data. Brown advises:
Tips from the top
Phil Jones, assistant
commissioner at the
Information
Commissioner’s Office
(ICO), highlights some of
the key principles of the
Data Protection Act
Organisations must
ensure personal data
is processed fairly and
securely. Failure to
adequately protect
personal data can result
in personal or sensitive
information falling into
the wrong hands and can
ultimately damage trust.
Any data held on
customers must be
accurate and up to
date. ICO research
shows almost 70 per
cent of organisations are
aware of this and we
continue to work with
those that aren’t, raising
awareness of their
responsibilities under the
Act.
Organisations must
only retain information
for as long as is
necessary in relation
to the purposes for
which it was initially
collected. And if
organisations intend to
share marketing lists
with other companies
they should be open with
individuals from the
outset about how their
information will be used
and to whom it will be
passed.
Individuals have the
right under the Data
Protection Act to opt
out of providing
information for
marketing purposes.
Organisations must
comply with any such
request from an
The 20 minute course in... data protection - The Marketer magazine http://www.themarketer.co.uk/articles/professional-development/fast-la...
3 of 4 15/7/2009 1:40 µµ
“Consider the risks associated with the data before considering the necessary
protection. And consider what vulnerabilities or weaknesses could make those
risks a reality.”
When third parties are involved in the protection of customer data, you should
always challenge and assess the security provision they make. “When it comes
to customer data, organisations simply can’t be too careful and shouldn’t take
anything for granted,” says Brown. “Marketers should get to know the DPA
inside out and ensure its principles are embedded in their organisation.”
It may sound like a lot of drama over what may be just a few e-mail addresses,
but as Magson points out: “Without rigorous security policies it’s very easy to get
caught out. And as an industry we’d be fools if we didn’t try harder to protect
consumer trust, because we thrive on personal information – data is the lifeblood
of marketing.”
As a marketer, you don’t want to be left carrying the can if your company makes
the headlines for all the wrong reasons, so make sure you avoid infamy by
adhering to best-practice guidelines and working hard to guarantee your
customer data is fully compliant.
Are you ready to gather customer data?
• You are aware of the rules and regulations
under the DPA and ensure all your company’s data is processed fairly and
securely and is kept accurate and up to date
• You look at ways of optimising your customer database to build long‑term
profitable relationships and you view the DPA as a sensible framework to help
you achieve this.
• You understand that the security of your data is paramount and take all
the necessary steps to ensure your data doesn’t fall into the wrong hands. In
terms of security you don’t take anything for granted.
• You believe in transparency and work hard to ensure your customers know
exactly what you are planning to do with their data, while ensuring you give them
the opportunity to opt out of receiving marketing communications from you.
• You understand the importance of data to the overall marketing process
and therefore strive to work within the confines of the DPA in order to boost
customer trust and, ultimately, safeguard the future of the industry.
Emily Cubitt is a freelance journalist who writes for titles including Precision
Marketing
individual and be open
and clear with
consumers when
gathering their personal
information.
The 20 minute course in... data protection - The Marketer magazine http://www.themarketer.co.uk/articles/professional-development/fast-la...
4 of 4 15/7/2009 1:40 µµ