Businesses collect plenty of data, but they must have permission to use it.
While many businesses will hold personal data about their customers and know that they must keep this secure, not all companies are aware of the requirements surrounding collection, processing and retention of personal data.
The Data Protection Act contains obligations on any business seeking to collect, process, retain or disclose personal data, including obtaining consent or implementing appropriate technical and organisational measures to protect data. As we rely more on collected data for target marketing there are a number of issues that can arise.
The first time your business contacts a new customer and collects personal data from them, unless it is obvious you are collecting that data, you must expressly tell the customer the reasons. One reason might be if your company collects a customer's name and address through its website in order to verify the customer's identity and to despatch goods ordered.
If you later want to send newsletters or brochures to the customer, or share the customer's data with affiliated companies for marketing purposes this must be explained at the outset.
Consent is also required in most cases of unsolicited marketing, particularly where a business obtains the data via a third party. While the DPA permits businesses to rely on a customer “opting out” of direct marketing, the more restrictive EU E-Privacy Directive requires that customers “opt in” for most types of direct marketing.
Your business, as the data controller, is responsible for providing a fair processing notice to any new contacts, including an ability to opt in or opt out of receiving further marketing information.
Another difficult situation – and one faced by one of our clients recently – is where a business intends to provide customer data to a third party. Our client was looking to acquire a customer list as part of an asset sale, and discovered that the third party had promised customers that it would never transfer data to a third party. We advised the buyer to include provisions in the agreement compelling the seller to use all reasonable means to ensure the list was transferred and the grant of a licence to use the information contained in the list.
Even with these safeguards in place, we suggested the price of the acquisition be cut and that the seller provide an indemnity in respect of any data protection claim.
As a business develops and changes, its uses of data might change, in which case the original purposes of collection communicated to the customer could be outdated. So should you obtain a new or wider consent from the individuals concerned? If the proposed change is minor, informing and providing an option to opt-out is likely to suffice. Otherwise, you should consider asking customers to opt-in, using a properly-established sales promotion or a competition as a lever.
Outsourcing data processing activities offshore to save money can present challenges. The legal protection in the target country must be deemed to offer an “adequate level of protection”. Unfortunately, outsourcing destinations such as India, do not satisfy the stringent criteria. Neither does the US.
To get around these problems, the EC has recently approved a series of model contract clauses to protect the data when transferred offshore, and the US Department of Commerce has developed a “Safe Harbor” framework for US businesses.
It's not that hard to stay the right side of the DPA. These are the salient points:
- Establish an effective internal data processing policy
- Notify/register your processing to the Information Commissioner
- Ensure your business has appropriate technical and organisational measures to protect data
- Obtain informed consent making use of opt in/opt out options as appropriate
- Select outsourcing partners carefully
- Ensure any transfers of data offshore meet the data protection requirements.
First published in SCMagazine UK, September 2008