What you and every micro business needs to know about data protection and the law
Sometimes you do things you wish you hadn’t.
One evening a got an email from a newly launched organisation, they sent me an email newsletter asking me to join their professional association. Who ARE these people? And more to the point, how the heck did they FIND ME?
OK, so I was not in the best of moods and I’d been diligently unsubscribing from past interests for some time to return my inbox to a workable state.
So I did something that I’d never done, I loaded an email ‘gun’ and pointed it back at them, shot the indignant ‘how did you get my address’ bullet and also clicked on the ‘report spam’ link on the aweber email form. I’d had enough of all these wretched newsletters procreating in my inbox and it was time for a cull.
What happened next is unfortunate. It turned out to be from a distant colleague. She had my email because I’d signed up for a leadership course a couple of years previously. She ran the course. She was starting a new venture and so USED ALL THE MAILING LISTS AND EMAILS IN HER CONTACTS she and her other colleagues had to hand.
She apologised. I was embarrassed. But she’d done more than upset me, she’d broken the law.
Now I know that sounds heavy, but do you know what the law is?
Do you think Data Protection legislation even applies to you?
No, thought so.
That’s why I’m entertaining myself this sunny morning writing about data protection so we can all avoid pissing people off, especially as we work so very hard to win new subscribers and customers and so that we at least know where the line is, and have the knowledge to stop us from breaking the law by incorrect handling of personal data.
If you really think this doesn’t affect you, think again.
Do you have a ‘sign up’ on your website? Do you ask people for personal information if they enquire about your products or services? Well then, you are handing and processing personal data and these activities come under the Data Protection Act 1998.
Data Protection legislation is complex and is designed to protect the privacy of the individual in a wide range of circumstances – not just with avoiding junk mail and email spam, but also with privacy for records collected by institutions like schools, healthcare, social services and more.
As a micro business you just need to know the basics. There are 8 Principles to the legislation and I’m going to give you a whistle stop run down on these as well as, first, a quick do’s and don’ts summary so you can get what this is all about into your head.
Data protection do’s and don’ts for micro businesses
Do make sure you ASK people if you can keep their personal details, tell them what you will be using them for and how they can have their details removed from your database. Be clear from the start.
If you haven’t already asked people for permission, put a mailing together NOW and ask for permission and while you’re at it ask them to check their details.
When you mail people make sure you give people the opportunity to opt in and to opt out, as well as updating details. Then always clean your list accordingly.
Do make sure you are clear what you are using the data for – and give yourself some flex in this – to keep someone updated on all the activities and products available through your site gives you a legitimate reason to talk about new stuff, if you tie your newsletter to a specific product or service then by law you need to ask again if you want to communicate new and diversified offerings.
Do tune in to data management – how are you going to store your data securely? How often are you going to update it? How do you manage preferences? A lot of this will be done for you automatically by email services but – keep your login details securely, if anyone else is using them make sure they are aware of data protection issues and be aware of what your different lists are for and how you can legitimately use them.
Don’t ever sell on, or use a list for a purpose it’s not for – without expressed permission (in writing) first.
Don’t ever ‘forget’ to remove people from your mailing list.
Don’t harvest emails from all sources you have to hand and then use them without the permission of the individual to use them for the purpose you have in mind.
At it’s heart, data protection is all about respect for an individual’s privacy and right to communicate with people they want to communicate with about things they are interested in. It’s about making sure that what you know about a person remains private and is not swapped, shared, sold or misused.
With all the hoo-haa here in the UK over the phone tapping scandal and the resultant root and branch review of press activity by Lord Justice Leveson, we can all expect use of personal data to be reviewed. This is the job of the Information Commissioner (he has a nice blog here, surprisingly interesting) and he’s already on the case. So sort your shit out, look after your mailing lists, don’t fudge it and be upstanding. OK?
Now if you really want to know about the eight guiding principles, then here they are.
Eight Guiding Data ProtectionPrinciples
1. Processing data fairly and lawfully – you need to have a legitimate need for the personal data you are collecting, handle the data reasonably, ask your customers permission to use this data and indicate to them how you will keep their information private when you collect it. You must not do anything unlawful with their data. Fairness really means being upfront with people about what you will be using their data for.
2. Processing personal data for specified purposes – you must be clear from the beginning why you are collecting personal data and what you intend to do with it. You must collect data only when there is a legitimate need and the data you collect must be relevant to meet this need. Once you’ve got the data you can’t then use it for other purposes, unless you have the individual’s expressed permission. Be clear with your customers about how you will use their data, don’t mislead them, be open and honest.
3. Information standards – the amount of personal information you may hold must be adequate and relevant for the purpose it was collected for. So, for example, if you need data to send out a regular mailing, you don’t need to collect your customers’ birthdays.
4. Information standards – keeping personal data accurate and up to date – if you don’t keep data up to date it’s no longer adequate or relevant for the purpose you have collected it for. In practice this means regularly checking back with customers that they are happy to be on your mailing list and that the information you have is up to date.
5. Information standards – retaining personal data, not keeping data for longer than is necessary. All mailing lists need to be purged occasionally and those who have moved on removed. Information kept longer than necessary is considered irrelevant and therefore puts you outside of the law.
6. The rights of individuals – the individual has a right to see a copy of the information you hold on them, they have a right to object to its use (processing) if it is causing distress, they have a right to prevent its use for direct marketing, they have a right to object against decisions made using the data automatically (this is unlikely to affect those holding data for marketing purposes), they have a right to have inaccurate personal data put right, removed, destroyed or blocked from further use. They also have a right to compensation for damages if the use of their data breaches the Data Protection Act.
7. Information security – there’s no easy answer to what constitutes ‘information security’ – you must keep personal data safe from misuse and the measures you put in place should be appropriate to the size of your business and the way the data is handled. You need to take a risk based approach in the same way that you would assess your premises for health and safety – think ‘what if’ and put measures in place to protect the data.
8. Sending personal data outside the European Economic Area – this isn’t likely to affect you, unless you are using an outsourced call centre. The Data Protection Act says that if you are going to send data outside of the EU you can only send it to countries that have the same level of protection for ‘the rights and freedoms of data subjects in relation to the processing of personal data.’ If you are looking at outsourcing, get advice.