Amongst other things the Data Protection Act puts organisations under a legal obligation to:
1) use personal information fairly and legally;
2) collect only the information necessary for a specific purpose(s);
3) ensure it is relevant, accurate and up to date;
4) only hold as much as you need, and only for as long as you need it;
5) allow the subject of the information to see it on request; and
6) keep it secure.
When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?
Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions
Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.
Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.
The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consentof the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.
The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.
It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.
Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
the current and future value of the information;
the costs, risks and liabilities associated with retaining the information; and
the ease or difficulty of making sure it remains accurate and up to date.
There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
The CIPD have a great resource regarding HR records which can be found here.
This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.
When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.
There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.
The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.
There are plenty of databases out there but whether they can be used to send marketing material will depend on the basis on which the personal information concerned was collected. The general rule is that unsolicited marketing can be sent to individuals where they have agreed to this or where it is likely to be within their reasonable expectations. For example, if an individual goes on holiday with a particular travel company then it is reasonable for that company to send a brochure advertising similar holidays the next year, unless the individual has made it clear that they do not wish to receive such marketing.
Therefore, the buyer of a list needs to check the basis on which the information was collected and whether any of the individuals have objected. The buyer should also establish whether the individuals would only expect to receive marketing via a particular medium, for example by mail. When using the telephone or email the special rules governing electronic marketing should also be complied with.
Unsolicited marketing emails should only be sent to individuals who have consented (and consent cannot be assumed if an individual does not respond).
If it is established that the list buyer can use the personal information for marketing they should only market products and services which are similar to those that the information has been used to market previously. Further guidance on electronic mail marketing can be found here.
The Data Protection Act requires that any personal information held should be adequate, relevant and not excessive, and that it should not be kept for longer than is necessary. The new owner of a database should decide how much of the information they need to keep. Any unnecessary personal information should be deleted. Personal information should not be held simply on the basis that it might become useful one day.
The Government has committed to updating and strengthening data protection laws through a new Data Protection Bill which will:
Make it simpler to withdraw consent for the use of personal data
Allow people to ask for their personal data held by companies to be erased
Enable parents and guardians to give consent for their child’s data to be used
Require ‘explicit’ consent to be necessary for processing sensitive personal data
Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
Make it easier for customers to move data between service providers
New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.
Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.
The intention of the Data Protection Bill is to implement the GDPR in full, put the UK in a strong position to secure unhindered data flows once it has left the EU, and give businesses the clarity they need about their new obligations.
The GDPR will apply fully from 25th May 2018. If you would like to know the steps to take to comply with the new rules please register for our series of email guides here.