Data protection - compliance and best practice

Welcome to the BrotherMailer simple guide to data protection, compliance and best practice.

Email can be a powerful tool for developing good customer relationships and finding new prospects. Keeping up to date with the legal implications is not always easy, but at BrotherMailer we are committed to advising our customers of best practice. This document puts current legislation in a nutshell, to help keep you and your data compliant.

Data protection legislation is comprised of An Act of Parliament and four EU directives. This article will focus on current UK parliamentary legislation, the Data Protection Act 1998 (which repealed the 1984 Data Protection Act).

The Data Protection Act 1998

The Data Protection Act 1998 came into full compliance in October 2001. It places the balance of rights on privacy issues and data protection back in the hands of individuals.

This Act requires that companies must be able to provide more information about why they want to use personal data, as well as where their Data came from, if requested.

The Data Protection Act also specifies ways in which personal data must be collected and stored.

What is personal data?

Personal data is defined as 'data which relates to a living individual who can be identified by that data'. This includes email addresses, as an email address can give strong clues to a person's identity. For example, identifies a particular individual at a specific company.

Email addresses don’t always give such clear personal detail of course; for example is much less identifiable.

It is advisable to treat all email addresses to be personal data, even though the legislation does not give specific guidance on such contradictions.

Data Protection Principles

The Act includes 8 data protection principles. The information commissioner has the power to issue any organisation found to be in breach of any these principles with an enforcement notice. Failure to comply could result in an unlimited fine in a crown court or a £5000 fine in a magistrate's court. These 8 principles are:

  •    Personal data must be processed fairly and lawfully
  •    Personal data can only be obtained for specified purposes and not used in a manner incompatible with those purposes
  •    Personal data should be adequate, relevant and not excessive for the purposes for which they are processed
  •    Personal data should be accurate and up to date
  •    Personal data should be kept no longer than necessary
  •    Personal data must be processed in accordance with the rights of data subjects under this act
  •    Personal data should not be open to accidental loss, destruction or damage
  •    Personal data must not be transferred to countries, without adequate levels of protection, for the rights and freedom of the subject.

Collection of data

An email marketing campaign cannot  run without first collecting data - the success of the project depends on good, clean data. Marketers need to be aware of the legal constraints within which such data should be collected. There are a several ways in which a company could acquire data email addresses to be used in a marketing campaign:

  •     Direct from prospects via a telemarketing campaign
  •     Direct from customers (such as a Web site)
  •     Lists prepared by third parties
  •     Collection from websites; including newsgroups public, directories or discussion boards.

Email addresses, which are collected directly, are subject to some ambiguity under the Data Protection Act in relationship to the level of consent legally required.
The guidelines do clearly state 'It will always be necessary to get their consent where if the data is sensitive.' Sensitive data is defined as that which reveals 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life'. Good practice according to data protection guidelines, would be to get the individual's consent. Consent, however, is not clearly defined.

This definition indicates some, but by no means all, email addresses could be classified as sensitive; for example reveals trade union membership. The law is not clear on these issues and the guidelines do not offer much help here. It is clear, however, that when a customer requests that you stop using his or her data for marketing purposes you must do so.

For this reason, it is best practice to ensure prospects/customers are always given the opportunity to opt-out of the use of his or her data for marketing.

Where a contact form on a website is used to collect email addresses for marketing purposes, it is good practice to link to a 'Privacy Policy', which should include: uses to which the personal information will be put, company contact details and details of how to opt-out of any mailing list. This policy also serves as notice to inform the user of the purpose for which thier information is being collected - it can therefore be assumed that when they submit their details, the individual has given appropriate consent.

Bought in lists of email addresses prepared by third party organisations must be checked by companies to ensure they (company and data) are legitimate and have been collected in compliance with the Data Protection Act. For data to be compliant, the individual must be informed of what happens to their data as well as giving permission for it to be sold to a third party. For this reason, it is advisable only t buy data from a reputable company.

Email addresses which are collected on the Internet or from a public space to be used for an email campaign, may well be contravening the principle of 'fair processing of data'. It is highly likely that the individual made their address public for a different reason than for the purpose of having their data collected for marketing purposes.

It is advisable not to collect data in this way as it is not only illegal but also the collection method choice of spammers and often leads to poor quality data. This method is definitely out of the bounds of good practice. 

The right to object

Data subjects have the right to know whether information about him/her is being processed, who is collecting the information, the purposes for which the information was gathered and the source of the information. Even if an individual has previously consented to personal details being used for marketing purposes he can still request at any time that a company ceases to use or store personal information.
The rights of the individual are quite clearly defined as such in the Act. It is for this reason unsubscribe requests should always be adhered to and names removed lists quickly.