10 Email Marketing Best Practices to Increase Engagements, CTR, And ROI
An introduction to data protection - 30 Jan 2014
1. DataAn introduction to data
protection 2013
protection
Thursday 308January 2014, DMA House
Friday February
#dmadata
Supported by
2. Agenda
9.00am
Registration and breakfast
9.30am
Why is data protection important?
9.40am
Understanding the law
The Data Protection Act 1998
Key terms
8 Principles
10.40am
Break
11.00am
Understanding the law
The Privacy and Electronic Communications Regulation 2003
Key rules
Key points
11.30am
Practical tips for marketers
12.00am
Summary and questions
12.30am
Close
3. Why is it important?
•
•
•
•
It helps us to protect information about ourselves and others
It helps us avoid damage to the reputation of our organisation
It makes good business sense – it can increase efficiency and
effectiveness
It helps us avoid enforcement action by the Information
Commissioner
– both employers and employees can be prosecuted
– companies can face a monetary penalty of up to £500,000 for
major breaches
4. Understanding the law 1
•
Data Protection Act 1998 (DPA)
– Came into force 1 March 2000
– Replaced 1984 Act
– Covers doing anything with data
– Applies electronic records and some manual records
5. Key Terms
•
•
Personal data
– any data that can be used to identify a living individual
– Examples of personal data can include:
• Name and address
• Email address (even business email addresses if they are non
generic)
• Name and telephone number
• Photographs
– Only personal data is protected by the DPA
Sensitive personal data
– any data relating to:
• Health
• Race or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Sex life
• Criminal proceedings or convictions
6. Key terms
•
Processing
– obtaining, recording or holding information or carrying out any
operation on the information including
• Organising
• Adapting
• Retrieving
• Disclosing
• Blocking
• Destroying
•
Data subject
– a living identifiable individual to whom the personal data
relates
7. Key Terms
•
Data controller
- Determines how data will be used
- Usually owns or rents the data (may be done by 3 rd
party on their behalf)
- Required to notify (register) as a controller with the ICO
- May be fined by ICO if any data breaches arise
•
Data processor
- Processes data on behalf of controller or other
processor
- Processing can be anything from data storage to
advanced data manipulation and modelling
- Includes companies that manage / broker / collect data
on behalf of others
8. The 8 Principles
•
•
•
•
•
•
•
Fairly and lawfully collected
Processed for specified and limited purposes
Adequate, relevant and not excessive
Accurate and kept up to date
Not kept for longer than necessary
Processed in accordance with Individuals’ rights
Security – appropriate technical and organisational
measures
• Not transferred outside the European Economic Area (EEA)
unless adequate protections are in place
• (EEA: The 28 member states of the EU, plus Iceland,
Liechtenstein and Norway)
9. Principle 1: Fairly and lawfully
collected
•
Fair processing information provided
•
Organisation’s identity given
•
Purpose of collection made clear
•
Further information necessary
•
Correct permissions obtained
- Implied consent: opt-out mechanism provided
- Express consent: opt-in mechanism provided
•
Sensitive personal data only captured if strictly necessary
10. Principle 2: Processed for limited
purposes
• Only process data for the purpose(s) you told the individual
• Make the purpose(s) clear at the point of data collection
• Change of circumstances – what happens to the data then?
• Subsequent use of data for direct marketing purposes
• Data cleansing – regular and ad hoc
11. Principle 3: Adequate, relevant
and not excessive
•
Minimum amount of information required
•
Additional information for specific individuals
•
Collect data that you will use now
•
Collection of data that ‘may be useful’ in the future is not permitted
12. Principle 4: Accurate and kept up
to date
•
Take reasonable steps to ensure accuracy (but what is
‘reasonable’?)
•
Ensure data is not incorrect or misleading
•
Undertake regular data cleansing
•
Clean data against the relevant preference service files and other
appropriate cleansing files
13. Principle 5: Not kept for longer
than necessary
• Keep for as long as purpose collected for
• Suppression lists
14. Principle 6: Processed in
accordance with the rights of data
subjects
•
Subject access requests
•
‘Where did you get my data from?’
•
Right to prevent direct marketing
•
Customer service / legally required communications – no opt-out
provision required
•
Right to have inaccurate data corrected
15. Principle 7: Technological and
organisational security
•
Data security must be appropriate – take account of:
– Current state of technological development
– Cost of implementing security measures
– Potential harm that could result from a data breach
– Nature of data to be protected – non/sensitive?
•
Need for risk assessment and risk management techniques
•
Record your findings and assessments
16. Principle 7: Technological and
organisational security (continued)
•
Ensure adequate organisational data security measures
•
Prevent unauthorised as well as unlawful processing or disclosure
of data
•
Security measures by data controller and data processor
•
Data processing and transfer agreements in place
•
Staff training
•
Data access on a ‘need to know’ basis – individual log-ins only
•
Secure disposal of data – internally/externally - keep records
17. Principle 8: Processed within the
EEA unless adequate protection in
place
•
Data can be freely transferred within the EEA (providing data
transfer agreements are in place)
•
Do not transfer data unless the country (destination and countries
data is routed via) have an adequate level of data protection
•
Need to inform individuals before transferring their data outside
the EEA but do not need their consent
18. Understanding the law 2
•
Privacy and Electronic Communications Regulations 2003 (PECR)
– Came into force 11 December 2003
– Covers electronic communications – email, telephone, SMS
19. Key rules
•
•
•
•
Sender must not conceal their identity
Communication must have valid address where opt-outs can be
sent
Opt-in required for individuals (B2C)
Soft opt-in/existing customer exemption – available:
– When you are collecting the address/mobile number in the sale
or negotiations for the sale of a product or service;
– You only send communications about similar products and
services;
– You provided an opportunity at time of collection to opt-out.
20. Key points
•
Existing customer exemption: Not an excuse for unsolicited contact
where correct permissions were never obtained
•
B2B – Opt-out and marketing message needs to directly relate to
the work they do.
•
Subject headers in emails must be clear and accurate
•
Free and simple-to-use opt-out method must always be provided
•
Action unsubscribe requests promptly – add to internal suppression
file
•
Maintain different flags for different types of communication –
helps to avoid general opt-outs for all channels
21. Practical tips for marketers
•
Data capture forms
•
Marketing permissions
•
Sourcing data
•
Regaining lost permission
22. Data capture forms
•
Key information to include;
– Why the data is being requested
– What the data will be used for
– Provision of an opt-in/out for marketing
– Marketing channels to be used
– Link to privacy policy
•
Key information to include in privacy policy
– How the data subject can opt-out of marketing
– If the data will be processed outside the EEA
– How long the data will be kept for
– How to make a subject access request
– How to make a complaint regarding use of data
24. Sourcing data/ Due diligence
•
•
•
•
•
•
Who compiled the list? When? Has it been amended or updated
since?
When was consent obtained?
Who obtained consent and what was the context?
Was it opt-in or opt-out?
Was information provided clearly and intelligibly? How was it
provided?
Did it list organisations by name, by description, or any third party?
25. Regaining lost permissions
•
•
•
•
Why was permission lost:
– Poor customer service?
– Poor communications timing?
– Inappropriate offers?
– In-house technical issues – permissions not recorded on CRM
system
Revalidation exercise – obtaining up-to-date data
Can very occasionally include request regarding marketing update
in a service message providing it is a minor part of the message
If you have only lost permission for certain channels, contact via
another channel to update permissions