DATA PROTECTION AND HOW TO GET IT RIGHT
Lesson 2 - Rosemary Smith, Director of data protection consultancy Opt-4 provides some helpful definitions to get you through the privacy maze
The Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) have to be applied when personal data is processed. For the average marketer, these statutes can cause real hassle when it comes to collecting data. Because the legislation is based on broad principles, it is vital to understand the key terms used, partly because they may not mean quite what you think they mean!
Let's start with Consent. In the DPA, consent is defined as any freely given specific and informed indication of wishes by which the data subject (person) signifies agreement to personal data being processed. This can be by positive consent (i.e. opt-in) or by bypassing and opt-out.
Most companies are Data Controllers under the Act - that is a person (including a legal person) who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Subject is a living individual to whom personal data relates. Customers and prospects are data subjects if you can identify them personally (even at business address).
There are Eight Data Protection Principles which state that Personal Data must be
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate;
- not kept for longer than is necessary;
- processed in line with the Data Subject's rights;
- secure; and,
- Not transferred to countries without adequate protection.
Personal Data means data which relate to a living individual who can be identified.
- From those data, or
- From those data and other information which is in the possession of, or is likely to come into the possession of the data controller.
Soft opt-in is a permission statement to be used when collecting email and SMS details. In practice the wording needed for a soft opt-in statement is very similar to an opt-out as the consent is achieved by the individual by passing an opportunity to object.
Subject Access Request is a written, signed request from an individual to see information held on them. The Data Controller must provide all such information in a readable form within 40 days of receipt.
Rosemary Smith is a director of Data Protection Consultancy Opt-4 Ltd. Updates on privacy matters are available from http://www.opt-4.co.uk/subscribe.asp
Industry News in this Category
New research shows permission emails are working (02/01/2009)
SMEs convinced by direct mail (02/01/2009)
Email marketing 'gaining respectability' (31/12/2008)
Data lists 'can help with personalisation' (30/12/2008)
