The 20 minute course in...

data protection - The Marketer magazine

http://www.themarketer.co.uk/articles/professional-development/fast-la...

Fastlane The 20 minute course in... data protection

Do you know where your data came from? Do your customers know you have it and what you plan to do with it? If the answer is no, youve got a problem

"Access to data should only be granted to individuals who need it in order to perform their job"
Related articles
Tough line on web data dredgers

The recent raft of high profile data gaffes to hit the headlines has brought the issues of data protection and data storage to the fore. With the media watching for the next slip up, marketers simply cant afford to ignore this area if they want to protect the integrity and reputation of their brand. Data professionals have traditionally sat behind the scenes, mining data to feed into the marketing teams creative plans. But data management is now increasingly being integrated into the rest of the business as we realise that data doesnt only need to be accurate and up to date, but also needs to be gathered and protected fairly and securely. While the rules and regulations under the Data Protection Act (DPA) can appear daunting, the main principles are relatively straightforward. Phil Jones, assistant commissioner at the Information Commissioners Office (ICO), explains: Essentially, any organisation that processes and stores personal information must comply with the eight principles of good information handling. The main principles These eight principles relate to ensuring personal data is processed honestly and safely and that it is current and correct. By following the simple principles of the DPA, organisations can ensure they retain the confidence and trust of their customers, Jones explains. They can also make sure they stay on the right side of the law. Mike Bradford, director of regulatory and consumer affairs at Experian, agrees: The use of data is all about common sense and optimising relationships with customers. The DPA gives marketers a sensible framework for marketing responsibly. He believes that many organisations start the marketing process by looking at how they should tackle the DPA, when in fact they should start the other way round. Marketers should look at their customer base and determine how they can make the most of it. They should then think about how they can do this without breaching the DPA to build long, profitable relationships. Organisations that act responsibly and are clear and transparent about what they are doing with their customers data will ultimately extract the most benefit

Legal: Minding your own Business Online Inbox: Data Protection

Dos and donts

Do keep customers informed about how you are using their data. They wont thank you for unexpected marketing communications. Do ensure you give customers the opportunity to opt out of receiving marketing communications. Do understand the intricacies of the Data Protection Act and work within its constraints to

1 of 4

15/7/2009 1:40

The 20 minute course in... data protection - The Marketer magazine

http://www.themarketer.co.uk/articles/professional-development/fast-la...

from it. But for many organisations the intricacies of the Act do cause confusion. Nigel Magson, chairman of Tangible Data, points out: Even experienced data marketers and lawyers are struggling to get clarification on certain circumstances. Magson advises marketers to ensure theyre familiar with the latest legislation, regulations and codes of practice and, he says, if you are in any doubt at all, seek professional advice. Data storage The most important element of data storage is security. It is imperative that customer data does not fall into the wrong hands and that sensitive, personal information is not compromised. Once that happens, it can be nigh on impossible for any brand to regain its customers trust and rebuild its relationship with them. You need to control secure access, especially if multiple parties are going to be using the data, explains Magson. Encrypted technology is now prolific, with security passwords for data access and varying levels of functionality. This allows different people to have differing access levels depending on what they need to do with the data. Access to data should not be given to just anyone within an organisation and should only be granted to individuals who need access in order to perform their job. Michael Brown, group security manager at Callcredit Information Group, explains: Databases must be protected by both physical and logical security, and access should be restricted to those with legitimate need. In addition, access and usage should be monitored, and people with legitimate access should be trained and supported in using the data appropriately. Bradford believes there should also be an audit trail, so that if any data is compromised it can be traced both internally and externally. While there is some disagreement about how sensitive different elements of data are and therefore what level of protection they require Bradford advises that all data should be treated sensitively, because even name and address data could be powerful in the wrong hands. And dont forget to ditch data you no longer need. James Castro-Edwards, a solicitor for Speechly Bircham LLP, notes that because the DPA stipulates that data should not be stored for longer than is necessary, it is important to operate an effective data retention policy and delete data after a certain period. The timescale for this will depend on the nature of the data that has been collected and its use. Keeping data fresh Under the DPA, organisations must ensure systems are in place to keep records containing personal information accurate and current, says Jones. For example, if an individual contacts the organisation to ask for their details to be deleted from a mailing list then the necessary steps must be taken to ensure that person does not receive further marketing. Bradford suggests creating a suppression list rather than deleting a record completely in this instance. He explains: If you delete a record and subsequently buy another list of names for marketing purposes you wont be able to cross check it against any existing data youve got and, therefore, you may inadvertently contact someone who has already asked you to stop mailing them. Again, he says, it comes down to good old-fashioned common sense. And dont forget, data decays at an alarming rate. Regular updating and refreshing is crucial, says Magson. Data goes out of date very quickly, so you have to keep on top of this with constant data management de-dupes, suppression against goneaways, the deceased and so on. Honesty and transparency

ensure best practice. Don't pass customer data to a third party without the subjects consent. Don't keep data on file for longer than is necessary. Don't allow employees to access sensitive customer data unless they need to in order to perform their job.

2 of 4

15/7/2009 1:40

The 20 minute course in... data protection - The Marketer magazine

http://www.themarketer.co.uk/articles/professional-development/fast-la...

If you want to make sure youre complying with the DPA and keeping customers happy and trusting, Castro-Edwards suggests appointing someone who is responsible for data protection across the whole organisation. They should be responsible for developing outward-looking policies so that you are telling customers what you are doing with their data, as well as policies that look inwards informing staff what they can and cant do with customer data. Organisations that dont do this risk being named and shamed, undoing all the hard work they have done collecting the data in the first place. Once an organisation has a customers details on file, transparency is vital. They must be made aware that they may receive marketing information from other parties, so that they are not surprised to receive it and so that the firm can ensure it is relevant. If organisations fail to be transparent they will alienate customers and waste money on sending marketing communications to people who simply arent interested, says Bradford. Permission-based marketing is now a must have for any reputable company. Many organisations still seem reluctant to be completely honest with customers about their intentions for their data, for fear of putting them off providing their details. However, as Castro-Edwards points out, its when companies dont tell customers what theyre doing that DPA breaches are likely to occur. You need to tell customers in a userfriendly way what you are intending to do, so they arent terrified, he explains. Bradford agrees: You need to explain your intentions clearly and give them the opportunity to opt in or opt out. Some firms still hide this kind of information in the small print, but it is important to be clear because you want to build a good relationship with them. This is the first stage of the customers experience with you so if they tick a box saying they dont want to receive any marketing communications then it immediately removes someone from the marketing pool who would be annoyed if they did receive the information. Organisations must view this positively rather than seeing it as a negative. Jones concurs that it is crucial to be honest with customers about your purpose in gathering their data. Customers must be aware of how their information will be used and whether it will be passed to a third party, he says. Consumer trust is imperative, Magson says: It is critical to protect and build on consumer trust because so much of what we do depends on their decision to give their data. He says: We marketers need customers data, so we should be doing everything we can to encourage that all-important trust. One way to build trust is to target customers intelligently, ensuring they only receive data that is relevant to them. While companies are legally bound to be open with customers, Brown believes organisations also have an ethical duty to be open about the data they are collecting and the purposes for which they are going to use it. In short, he says, be open, be truthful and be consistent. Avoiding the pitfalls To ensure they dont fall foul of the regulations and risk the reputation of their brand, marketers must ensure they avoid some common mistakes when it comes to storing or using customer data. These include having weak or non-existent control over access to the data; sharing data without the subjects consent; not keeping data clean and up to date; and transferring data without encrypting it. The list is not exhaustive and, ultimately, marketers must adhere to the principles of the DPA and use their common sense when handling data. Brown advises:

Tips from the top

Phil Jones, assistant commissioner at the Information Commissioners Office (ICO), highlights some of the key principles of the Data Protection Act Organisations must ensure personal data is processed fairly and securely. Failure to adequately protect personal data can result in personal or sensitive information falling into the wrong hands and can ultimately damage trust. Any data held on customers must be accurate and up to date. ICO research shows almost 70 per cent of organisations are aware of this and we continue to work with those that arent, raising awareness of their responsibilities under the Act. Organisations must only retain information for as long as is necessary in relation to the purposes for which it was initially collected. And if organisations intend to share marketing lists with other companies they should be open with individuals from the outset about how their information will be used and to whom it will be passed. Individuals have the right under the Data Protection Act to opt out of providing information for marketing purposes. Organisations must comply with any such request from an

3 of 4

15/7/2009 1:40

The 20 minute course in... data protection - The Marketer magazine

http://www.themarketer.co.uk/articles/professional-development/fast-la...

Consider the risks associated with the data before considering the necessary protection. And consider what vulnerabilities or weaknesses could make those risks a reality. When third parties are involved in the protection of customer data, you should always challenge and assess the security provision they make. When it comes to customer data, organisations simply cant be too careful and shouldnt take anything for granted, says Brown. Marketers should get to know the DPA inside out and ensure its principles are embedded in their organisation. It may sound like a lot of drama over what may be just a few e-mail addresses, but as Magson points out: Without rigorous security policies its very easy to get caught out. And as an industry wed be fools if we didnt try harder to protect consumer trust, because we thrive on personal information data is the lifeblood of marketing. As a marketer, you dont want to be left carrying the can if your company makes the headlines for all the wrong reasons, so make sure you avoid infamy by adhering to best-practice guidelines and working hard to guarantee your customer data is fully compliant.

individual and be open and clear with consumers when gathering their personal information.

Are you ready to gather customer data?

You are aware of the rules and regulations under the DPA and ensure all your companys data is processed fairly and securely and is kept accurate and up to date You look at ways of optimising your customer database to build long term profitable relationships and you view the DPA as a sensible framework to help you achieve this. You understand that the security of your data is paramount and take all the necessary steps to ensure your data doesnt fall into the wrong hands. In terms of security you dont take anything for granted. You believe in transparency and work hard to ensure your customers know exactly what you are planning to do with their data, while ensuring you give them the opportunity to opt out of receiving marketing communications from you. You understand the importance of data to the overall marketing process and therefore strive to work within the confines of the DPA in order to boost customer trust and, ultimately, safeguard the future of the industry.

Emily Cubitt is a freelance journalist who writes for titles including Precision Marketing

4 of 4

15/7/2009 1:40