Institute of FundraisingSupporter Care &
Stewardship
Friday 21st September 2012
Data Protection
Janine Paterson DMA Solicitor
Overview
• Data Protection Act
• Marketing
• Potential changes in the future
Data Protection Act 1998
• Privacy - a topic in the UK and Europe for over 60 years
• Data Protection Act 1984 – minimum implementation in the UK
• 1995 Data Protection Directive – became DPA 1998
• Privacy and Electronic Communications Regulations 2003 and 2011
8 Principles
Personal data are:• Processed fairly and lawfully• Processed only for specified and lawful purpose(s)• Adequate, relevant and not excessive• Accurate and up to date• Not kept longer than necessary• Subject to rights of data subjects• Technical/organisational means to prevent unlawful or
unauthorised processing• Transferred outside EEA only if adequate security
• All relevant to marketing but 1 is foundation
Principle 1
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) At least one of the conditions in Schedule 2 is met, and
(b) In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
Collecting and using data for marketing
• Processing – doing anything with data• Collecting and using data for marketing
is processing• Need grounds to process• Marketing – consent• Problem with consent – it can be
withdrawn• If withdrawn then you can not process
the data for marketing
Marketing data
Many ways to acquire personal data for marketing purposes
– Direct from consumer
– Bought in/rented lists
– Survey sponsorship
Marketing rules
General rules – B2C
• Direct Mail – opt-out• Telephone – opt-out• Email – opt-in• SMS – opt-in• Fax – opt-in
Email/SMS marketing
Soft opt-in/existing customer exemption• Exemption applies if all the conditions apply• 1) Email or mobile number was acquired in the
course of a sale or negotiations for goods or services
• 2) Unsubscribe from marketing offered at time of collecting data and on all subsequent messages
• 3) Marketing must be only about similar goods and services
• 4) Identity of sender is not disguised
Charitable donations
• Do not come within the definition of the exemption so opt-in for email and SMS
• ICO confirms view in guidance:We are a charity, political party, or not-for
profit organisation; can we take advantage of ‘soft opt-in‘?
Only if you are promoting commercial goods and services, for example, those offered by your trading arm.
ICO guidance on electronic marketing
So what to do?
• ICO recognise the difficulty this causes.• Argue that organisations should seek
“solicited” communications, ie get people to actively agree to being contacted – permission based marketing
• Send messages to people who actually want to hear from you
Permission based marketing
• Don’t see it as the enemy– Comply with legal requirements– Good data management– Increase customer confidence and
therefore the bottom line
Legal requirements
• Data Protection Act - 8 principles• Marketing opt-ins/outs
Good data management
• Makes good business sense – data is an asset and can give a competitive edge
• Data quality is vital to the success of any business
• Affects reputation and brand
Consumer confidence
• Consumers - more aware value of data• Will affect whom consumers do
business with
How can we achieve this?
• New customers – easiest as can show benefits – over telephone or on a website sell
the benefits of agreeing to be contacted
– Privacy policy
How can we achieve this?
• Existing customers – more difficult – should have got opt-in when
first joined– Database update – service message
• Duty to keep information held accurate and up to date
• Confirm marketing preferences• Incentive - prize draw
– Instil confidence in your customers that you respect their data and protect it
Telemarketing
• Legal requirements for B2C
• In-house suppression file
• TPS screening for all new numbers acquired if applicable
• TPS screening if buy in/rent third party opt-ins where organisation was not a named third party
The future
1995 European Directive ( implemented into UK by 1998 Data Protection Act ) showing its age due to:
1) Law doesn’t take account of new technologies – and more complex information networks
2) Lack of common European law and differences in national implementation impedes marketing
3) Consumer concern over privacy – high profile data security breaches, etc. leading to reducing permission to market
Data Protection Regulation - Key issues
• Opt-in and opt–out - obtaining consent
• General rule for direct marketing – “explicit consent by clear statement or affirmative action”
• Legacy databases – what about data
collected under current law?
• At odds with existing rules on voice calls, email and SMS marketing
Data Protection Regulation - Key issues
• IP addresses and cookies– Definition of personal data extended so
could cover some IP addresses and cookies
– But IP addresses identify a device not an individual + some IPs are general
• Right to be forgotten– Right for individuals to request
organisations to delete any information held on them
– Drafted with social media in mind – but goes beyond this
Data Protection Regulation - Key issues
• Data breach notification– Every organisation that suffers a data
security breach would have to notify Information Commissioner’s Office and the individuals concerned within 24 hours
– Increase in fines/sanctions – in stages, of up to 2% of global turnover or 1 million euros
• Marketing to children– General rule – parental consent required for
under 18’s – Exception for online marketing to children
above age of 13
What the DMA are doing
• Federation of European Direct and Interactive Marketing Associations (FEDMA) in Brussels leading collective EU dm effort – UK DMA chairs Legal Affairs Committee
• Lobbied Commission intensively after unofficial draft leaked in Dec 2011 – with some success
• Responded to Ministry of Justice’s Calls For Evidence in 2010 and 2012, with input from DMA members.
• Responded to Commons Justice Select Committee inquiry – Select Committee now holding hearings
What the DMA are doing
• Now lobbying UK Government and European institutions as the proposal goes through the European legislative process
• Leading UK Data Industry Group response to the proposed legislation & participating in CBI Group on Data
• Key research on consumer attitudes to privacy, Data Privacy: What the Consumer Really Thinks and on the economic value of the dm industry, Putting a Price on Direct Marketing
Summary
• Data protection rules not there to hinder you or stop you running your business
• Use them to build confidence in your organisation
• Start the dialogue with those who want to hear
• Involves everyone in the organisation• Join the DMA and help shape the future