While data is becoming increasingly invaluable to any business, there are myriad and complex laws governing its collection, storage and use that you have to be aware of.
In the UK there are essentially two main pieces of legislation that govern the collection and use of data: The Data Protection Act, which is about collecting and storing it, and The Privacy and Electronic Communications Act, which is more to do with how you use that data in an electronic and marketing environment.
Read On:
How to collect data
What data should you collect from customers?
Decoding customer data to optimise your store
While each of these pieces of legislation are huge, dense and labyrinthine, they are also confusingly intertwined, sometimes overlapping and occasionally contradictory. Understand both is, however, essential if you are going to collect data about customers and use it.
So what do you need to know?
The Data Protection Act
Introduced in 1998, the Data Protection Act is designed to help protect anyone who has their data stored by anyone else, be they customers or employees. The act was introduced to promote high standards in the handling of personal information and so protect the individual’s right to privacy.
Broadly, the Act covers any information that relates to living individuals which is held on computer. For example, this may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified.
The Act applies to firms holding information about living individuals in electronic format and, in some cases, on paper. They must follow the eight data protection principles of good information handling.
These say that personal information must be:
• Fairly and lawfully processed;
• Processed for specified purposes;
• Adequate, relevant and not excessive;
• Accurate and, where necessary, kept up to date;
• Not kept for longer than is necessary;
• Processed in line with the rights of the individual;
• Kept secure; and
• Not transferred to countries outside the European Economic Area unless the information is adequately protected.
Data Protection Act Checklist
This short checklist will help any company try and comply with the Data Protection Act. Answering yes to all the questions below doesn’t guarantee compliance, but it certainly shows you are on the right path.
• Do I really need this information about an individual? Do I know what I’m going to use it for?
• Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
• Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
• Am I sure the personal information is accurate and up to date?
• Do I delete/destroy personal information as soon as I have no more need for it?
• Is access to personal information limited only to those with a strict need to know?
• If I want to put staff details on our website have I consulted with them about this?
• If I use CCTV, is it covered by the Act? If so, am I displaying notices telling people why I have CCTV? Are the cameras in the right place, or do they intrude on anyone’s privacy?
• If I want to monitor staff, for example by checking their use of email, have I told them about this and explained why?
• Have I trained my staff in their duties and responsibilities under the Act, and are they putting them into practice?
• If I’m asked to pass on personal information, am I and my staff clear when the Act allows me to do so?
• Would I know what to do if one of my employees or individual customers asks for a copy of information I hold about them?
• Do I have a policy for dealing with data protection issues?
• Do I need to notify the Information Commissioner?
The Privacy and Electronic Communications Act
Introduced in 2003, this Act is designed to protect how individual’s data is used by direct marketeers and is designed to protect consumers from unsolicited communications from any entity, be they businesses, charities or others.
I theory this was an ‘anti spam’ law, introduced – rather perceptively – at the start of the e-commerce boom and is designed to make data use for marketing something that consumers opt into receive, not opt out of to stop. As such you have to be aware that if you are trying to collect consumer data and use it
The Privacy and Electronic Communications Act Checklist
Again, this short checklist will help you decide if you are collecting data correctly so that you can actually use it to market to people. Its not water tight – so don’t use it in evidence if you end up in court – but meet these criteria and you are probably doing things right.
Obtaining consent for marketing
• Do you use opt in boxes?
• Do you specify methods of communication (eg by email, by text, by phone, by recorded call, by post)?
• Do you ask for consent to pass details to third parties for marketing, and name or describe those third parties?
• Do you record when and how we got consent, and exactly what it covers?
Using bought-in lists
• Do you check the origin and accuracy of the list?
• Do you check when and how consent was obtained, and what it covers?
• You DON’T use bought-in lists for texts, emails or recorded calls (unless we have proof of opt-in consent within last 6 months which specifically named or described us)?
• Do you screen against the TPS?
• Do you tell people where we got their details?
Making calls
• Do you screen live calls against the Telephone Preference Service (TPS)?
• Do you only make recorded calls with opt-in consent?
• Do you keep our own do-not-call list of anyone who says they don’t want our calls?
• Do you screen against our do-not-call list?
Sending texts or emails
• Do you only text or email with opt-in consent (unless contacting previous customers about our own similar products, and we offered them an opt-out when they gave their details)?
• Do you offer an opt-out (by reply or unsubscribe link)?
• Do you keep a list of anyone who opts out?
• Do you screen against our opt-out list?
Speak Your Mind