Data Protection: Do your email campaigns comply?
August 1, 2008
Compliance with data protection is a complex business, here at Extravision we've put together a simple guide to the current legislation that should keep you out of court - and give you an idea of what is considered best practice. There are four EU directives and an Act of Parliament that cover data protection legislation. In this article we intend to concentrate on the current UK parliamentary legislation, the Data Protection Act 1998 (which repealed the 1984 Data Protection Act). For more information about EU directives and the way in which they could soon affect UK law please see our article 'EU Directive on Email Marketing'.
The Data Protection Act 1998
The new Data Protection Act 1998, which came into full compliance in October 2001, places the balance of rights on data protection and privacy issues firmly back in the hands of the individual. Under the Act companies are obliged, if requested, to provide more information about why they want to use personal data and must also reveal the source of their data. Importantly for marketers the Act also specifies ways in which personal data must be collected and stored.
What is personal data?
The act defines personal data as 'data which relates to a living individual who can be identified by that data'. Lists of email addresses clearly come under this definition as an email address can give strong clues to a person's identity [email protected]
identifies a particular individual at a specific company. Not all email addresses give such clear personal detail of course; [email protected]
for example is much less identifiable. We would advise companies to err on the side of caution and consider all email addresses to be personal data, even though the legislation does not give specific guidance on such contradictions.
Data Protection Principles
There are 8 data protection principles in the Act. The information commissioner has the power to issue an enforcement notice to any organisation found to be in breach of any these principles. Failure to comply could result in a £5000 fine in a magistrate's court, or an unlimited fine in a crown court. The principles are that personal data must be:
- Processed fairly and lawfully
- Can only be obtained for specified purposes and not used in a manner incompatible with those purposes
- Should be adequate, relevant and not excessive for the purposes for which they are processed
- Should be accurate and up to date
- Should be kept no longer than necessary
- Must be processed in accordance with the rights of data subjects under this act
- Should not be open to accidental loss, destruction or damage
- Must not be transferred to countries, without adequate levels of protection, for the rights and freedom of the subject.
Collection of data
One of the first steps in running an email marketing campaign is data collection - getting the right email addresses is essential to the success of the project. Marketers should not however be blind to the legal constraints within which such data should be collected. There are a number of different ways in which a company can acquire data email addresses to be used in a marketing campaign:
- Direct collection from prospects via a telemarketing campaign
- Direct collection from customers (for example via a Web site)
- Lists prepared by third parties and
- Collection from websites; such as public directories, newsgroups or discussion boards.
Email addresses collected directly are subject to some ambiguity under the Data Protection Act in terms of the level of consent legally required. Data protection guidelines say that it is good practice to get the individual's consent. Consent is not however clearly defined, although the guidelines do clearly state that 'It will always be necessary to get their consent where if the data is sensitive.' Sensitive data is defined as that which reveals 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life'. Under this definition some, but by no means all, email addresses may be classified as sensitive; for example [email protected]
The right to object
The rights of the individual are quite clearly defined in the Act – data subjects have the right to know whether information about him/her is being processed, who is collecting the information, the purposes for which the information was gathered and the source of the information. Even if an individual has previously consented to personal details being used for marketing purposes he can still request at any time that a company ceases to use or store personal information. Unsubscribe requests should therefore always be adhered to and names taken off lists speedily. Email can be a powerful tool for finding new prospects and developing good customer relationships. Keeping abreast of the legal implications is not always easy, but at Extravision we are committed to advising our customers of best practice – keeping you out of court and to make your emails welcome in your prospects' inboxes!
If you would like more information please email us at [email protected]
or call +44 (0)161 817 2929
Posted by Paul Latham