UK Data protection with the ICO

The rules are as clear as mud

A Data Protection Officer is needed in your company just to keep up with GDPR and new requirements and the steps that should be taken to be compliant after Brexit.

You may have heard about high profile data breaches in the news such as Talk Talk and Yahoo. But you’ve probably heard or seen little about the new General Data Protection Regulation that became enforceable in May 2018. Cut to the chase, any organisation that holds data of any EU citizens has to comply with this regulation, and the Information Commissioner’s Office stated recently that despite Brexit the UK will comply.

The headlines are that if you have not done everything in your powers to prevent a breach, you can be “accountable” and liable to be fined 4% of your global turnover. These sorts of penalties obviously make cyber security and training a main board issue rather than just IT.

General Protection Data Regulation or GDPR May 2018

If you hold personal information (data) of an Irish “EU” citizen, that someone can request to know what data your company holds (personal data). You have one month to provide those details to them free of charge. You must record their consent of inclusion to your database. The opt-in proof will be a document of some kind. The function and scope of a “Data Protection Officer” needs to be defined within your company. Also clear website cookie warnings with a “tick to enter” box to enable viewer’s full use of your company website.

It would be advisable to hire a data protection officer who is member of a professional organisation. The Chartered Institute of Marketing is very good. As a member of the CIM, you can be assured that the data protection officer would be up to date with your company’s full legal UK obligations regarding data protection.

I would be ideal as I have passed three years of CPD Chartered Marketer accreditation with the Chartered Institute of Marketing, plus I have UK Government Secret SC Security Clearance (for NATO level work), for the next ten years.

Check that your company’s Data Protection Statement is up to date

This statement may need to clearly communicate that your products last from 1 up to 50 years in the case of vehicles. So records of the purchasers and their immediate colleagues need to be kept. The opt-in required to hold personal data is a “permission document” like a purchase order, or “proof of instruction”. This document is required to be readily available if needed to be produced in a readable format within 30 days free of charge. The fine for non-compliance is heavy: 4% of company turnover. Keep this in mind it’s a US / EU deal, so your company will have to comply still if you hold EU citizens on your database.

The Data Protection Act as it stood in May 2018

This had been in force since 1998. It is to prevent abuse of personal data such as spam. How do you avoid ending up being one of the world’s great spammers? Talk to me. The UK is still subject to EU law until a Brexit trade deal has been fully completed. This could offer some marketing challenges. A task for your data protection officer.

Legal point

Unsolicited e-mail and other messages. Article 13 of EU Data Privacy prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication, either where it was initially collected or subsequently.

Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13/2.

Article EU Data Privacy 13/2 – the exception

Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services.

The second exception is very grey and many people fall into a common trap: lack of courtesy. This is in fact the true essence of spam where people are continually bombarded with marketing emails. This is where most spam reporting takes place.

In plain English for your data protection officer

This means all existing customers are fine to be emailed, as they are opted in by the very fact that your company trades with them on a regular basis and they have your products and your products have a long life. These products are sometimes subject to improvement resulting in redesign. Customers need to be informed of these changes as there maybe compliance or legislation issues they need to be aware of.

But the unsolicited emailing of new contacts or prospects from addresses collected via social media, directories or word of mouth are not in the same category and should be treated very differently. The data protection officer needs to understand this.

Customers your company deals with already

All existing customers should as a matter of common courtesy get informed of how we run a communications scheme that aims to keep customers updated with the latest information about your company’s products and operations.

This can be a simple message attached to a one on one email either on the email footer or printed at the bottom of a quotation or paperwork.

COPY TO USE

“Our company would like to keep clients informed about its products and operations. If you want to be included on this communications list please update your details here.”

Note

If you have received an email from a customer which asks for information to be forwarded to another person in absence of an opted-in customer, that is considered the opt-in of a deputy. This email would need to be archived in your Single Customer View in your database system. You will need to provide these details if a data request from that person is ever received by your company.

Prospects and new contacts

Looking for new business? You need to tread carefully!

Any new contacts or prospects should as a matter of common courtesy get informed of how you run a communications scheme that aims to keep contacts and prospects updated with the latest information about your company products and operations. This can be a simple message attached to a one-on-one email either on the email footer or printed at the bottom of a letter.

COPY TO USE

“Our company would like to keep contacts informed about products and operations. If you want to be included on this communications list please add your details here.” To ensure they’re removed from certain records on request, a robust unsubscribe system needs to be in place

Note

If you have received an email which asks for information to be forwarded to another person in absence of a prospect or contact, that is not considered an opt-in. Any literature that needs to be sent out or handed out to a new contact or prospect should be preceded by an opt-in action, usually made when the gathering of address details takes place.

This may be impractical in many cases but the online option is so easy, plus you can replicate the online method with an A4 letterhead style form for field visits by sales people and other company representatives. The data protection officer will need to check legal approval.

This page was first published on 15th December 2016 and revised on 11th August 2020.

Written by Laurence Dunn MCIM