How does your data supplier deal with individuals’ rights - do they pass on objections?

Not our question, this is from the ICO.

January 8th saw the UK data watchdog, release their 'Draft Direct Marketing Code of Practice' for consultation. The consultation closes on 4th March 2020, and invites email responses to directmarketingcode@ico.org.uk. As the name implies, it is likely to change, but we expect the draft to be largely unchanged in the finished document. So direct marketers should take heed.

Codes of practice are not legally binding, but recital 81 of GDPR states:

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

So the code can form an important part of showing how you comply, if you adhere to it. It also signposts how the ICO will be considering topics, from basic ones, such as, what constitutes direct marketing, through to guidance on more complex issues like, what due diligence checks are necessary when sourcing a list.

What does the ICO suggest you should consider when buying or renting direct marketing lists?

Page 53 of the draft code clarifies that the practice of list rental or purchase remains valid for direct marketers. However, the ICO also highlight that merely accepting supplier assurances is not sufficient. You are responsible for your processing of personal data and must conduct 'proportionate due diligence'.

Who compiled the data – was it the organisation you are buying it from or was it someone else?

Where was the data obtained from – did it come from the individuals directly or has it come from other sources?

What privacy information was used when the data was collected – what were individuals told their data would be used for?

When was the personal data compiled – what date was it collected and how old is it?

How was the personal data collected – what was the context and method of the collection?

Records of the consent (if it is ‘consented’ data) – what did individuals’ consent to, what were they told, were you named, when and how did they consent?

Evidence that the data has been checked against opt-out lists (if claimed) – can it be demonstrated that the TPS or CTPS has been screened against and how recently?

How does the seller deal with individuals’ rights – do they pass on objections?

This extract from the draft code of practice provides a strong hint of questions you could, or perhaps should, include in your due diligence. We agree, they are very sensible! Our 'Due Diligence Disclosure Pack' answers all of these questions, and more besides.

Choosing Corpdata as your supplier helps your compliance

The last two questions above highlight the importance of keeping your data accurate and up to date for demonstrating you comply.

At Corpdata, we fully considered your compliance issues several years ago. We embraced them within our updated data management processes and how we supply our data to you. For example, knowing who has recently objected or registered with opt-out lists is essential to respecting the rights of data subjects and therefore your compliance.

In May 2018 Corpdata introduced twice monthly updates and new licensing requirements, all designed to help keep you fully compliant with the law. Our new conditions require updates to be applied. As recently as our October 2019 newsletter we talked about the importance of updates.

We recognised applying updates can be difficult, so we have created several update methods intended to suit a variety of use cases. Indeed in January 2019 we announced the launch of our 'Update API'. (Of course, our updates also help you keep your data accurate and up-to-date, covered on page 40 of the code, which simultaneously delivers you better ROI on your campaigns!)

Crucially, the code states:

A reputable third party should be able to demonstrate to you that the data is reliable. If they cannot do this, or if you are not satisfied with their explanations, you should not use the data.

• Make sure you ask prospective suppliers how they will help you comply, but also demonstrate you comply, with the law.
• Don't accept bland assurances, expect them to show you.
• We are delighted to answer your due diligence questions, make sure any other potential supplier is too.

Finished Code of Conduct? No. Legally binding? No.

Nevertheless, it would be wise to consider the ICO's draft code a clear warning!

---

Pro-tips: Spreadsheets and data cleaning

Many people use spreadsheets as a tool for managing direct marketing data. They are excellent. However, they were created primarily for accountants and book-keeping type operations. This means they can need some creativity to bend them to the task of helping you manage other types of data.

In this article we look at one issue which our customers often have trouble with. We mentioned the issue of duplication and it's risks in our recent articles 'Demystifying Data Cleansing' and 'Demystifying deduplication and merge/purge'.

In the full articles we cover:

• Adding IDs
• 'Fixing' dynamic data
• Sorting the data to highlight issues
• Returning the data to it's original order

To view the article for Excel, click here.
For the article for Calc, click here.

---

Do you need to register with the ICO?

Recent announcement

The ICO recently sent out a letter reminding organisations that they may need to pay a fee to register with the regulator. The Times reported it had been perceived as "heavy handed" by some recipients, and was sometimes mis-interpreted as a scam.

Controversy over wording leading to uncertainty

It's fair to say the 'data protection fee' can sound a bit like a racket cooked up by Al Capone or similar mobsters offering protection. However, what is the truth.

The ICO is correct, under certain circumstances organisations are required to register with them, but not under ALL circumstances. They have undertaken to be self-funding, and data protection fees may well be a significant part of their intended revenue generation plan. But do YOU need to register?

What the law says

An organisation that is a data controller must register unless it is exempt. The The Data Protection (Charges and Information) Act 2018 governs the need for registration and the fees involved. There are 3 tiers with the following annual costs:

• Tier 1 - £40
• Tier 2 - £60
• Tier 3 - £2,900

You can save £5.00 if you pay by direct debit!

Which tier you fall in is calculated as follows:

• Tier 1 - charities, or up to 10 staff and less than £632,000 annual turnover
• Tier 2 - 11 to 250 employees and annual turnover less than £36 million
• Tier 3 - everyone else

Who needs to register

The rules are deceptively simple, all organisaions must register unless all their processing is 'exempt'.

The Act contains a 'Schedule' which lays out what is exempt processing. When you look at it, most processing for many businesses will indeed be exempt.

• Staff administration (including payroll)
• Accounts or records (ie invoices and payments)
• Advertising, marketing and public relations (in connection with your own business activity)

If your organisations line of work is finance, care, education or processing data on behalf of others, or if you use CCTV to detect crime, you almost certainly do need to register.

The ICO have created a helpful self-assessment tool, it takes almost no time to complete and if you have any concerns give it the 2 minutes it requires.

Pragmatism

Even if you are exempt, the ICO helpfully provide a quick link from the end of the self-assessment to pay a data protection fee anyway, and to be honest, given the low costs you may want to, just for peace of mind.

We have also seen examples of how the ICO are likely to deal with those who should pay the 'data protection fee' but don't. Noble Design and Build of Telford were prosecuted by the ICO on the 3rd July 2018 for not being registered when the company should have been. The company received a letter, and then an email telling them they needed to register, and other things. This action was taken under the DPA 1998, due to the date of the offence. The total cost to the company was £5,034.08.

We can imagine action taken in the GDPR age may be considerably more draconian.