Sentori email marketing blog

When collecting and managing data on individuals you need to make sure that your organisation is in compliance with the law. In the UK, this means the Data Protection Act (DPA) 1998. The Information Commissioner's Office offers advice and training materials via their website, which is very good and very detailed. However, sometimes they produce something really excellent and succinct, such the Data Protection Checklist I received in the post last week.

The list, rightly, begins with the caveat that it should help you comply with the DPA but cannot guarantee this. It is hoped that it will get you heading in the right direction and perhaps highlight areas where you need more advice.

Here's the list, with some thoughts relating specfically to email marketing. Ideally you should be able to answer "yes" to every question:

1. Do I really need this information about an individual? Do I know what I'm going to use it for?
2. Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?
3. If I'm asked to pass on personal information, would the people whose information I hold expect me to do this?
4. Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?
5. Is access to personal information limited to those who absolutely need it?
6. Am I sure the personal information is accuare and up-to-date?
7. Do I delete or destroy personal information as soon as I have no more need for it?
8. Have I trained my staff in their responsibilities under the Data Protection Act? Are they fulfilling them in practice?
9. Do I need to notify the Information Commissioner? Is so, if my notification up-to-date?

Having been involved in the email marketing industry for nearly 10 years, one of the most common failures we have seen in UK organisations is actually one of the easiest things for them to address. According to the ICO, item 9 on the checklist can also be put thus: "Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence".

If you're reading this and aren't registered as a data controller, go and do that now.

One of the hardest items on the checklist -- and one that would see a lot of organisations fail a DPA audit -- is item 1, regarding whether you know what you intend to use collect data for. A lot of companies don't even think about this. They know they definitely want email addresses and telephone numbers, but why not get their fax number, marital status, and favourite colour too? The tendency is very often to hoard every piece of data that can be collected with the vague idea that it might be useful in the future. Having said that this is a difficult item to comply with, the solution is a simple sanity check when capturing data.

If you think your organisation might need to tighten up its compliance, a great place to start is the ICO's document library.