IS THERE LIFE AFTER DATA PROTECTION

1
IS THERE LIFE AFTER DATA PROTECTION?

• NCVO Membership Conference
• April 22nd 2008
• Jenny Moseley
• Opt-4

2
Health Warning!

• The information provided and the opinions
  expressed in this seminar represent the views of
  the presenter. They do not constitute legal
  advice and cannot be construed as offering
  comprehensive guidance to the Data Protection Act
  1998 or other statutory measures referred to in
  the course of the presentation.

3
Who are you?

• Registered Charity?
• Voluntary Organisation?
• Commercial Company?
• Membership Organisation?
• NGO?
• Anything else?
• Are you consumer facing?
• Are you business facing?
• Do you have volunteers?
• Do you have a trading arm?
• Are you international in scope?

4
Who am I?

• Former UK Director and Assistant Vice President
  of National Geographic Society the worlds
  largest not-for-profit membership organisation
• Former Chairman of the Direct Marketing
  Association UK and Vice Chairman of FEDMA the
  Federation of European Direct and Digital
  Marketing
• Almost 25 years watching data protection develop
  in the UK and Europe and how it affects direct
  marketing

5
Where are we?

• Were on our second Data Protection Act and
• 3rd Information Commissioner
• We have regulations for everything from basic
• Direct Mail to Bluetooth broadcasting
• Europe has 36 data protection laws and no two are
  the same

6

• Why does data protection compliance matter?

7
It isnt just about fines and jail sentences
COMMISSIONER TO GET TOUGHER POWERS
8
The Information Commissioners Vision

• A Society where
• Information rights and responsibilities are
  respected by all
• Organisations inspire trust by collecting and
  using personal information responsibly securely
  and fairly
• People understand how their personal information
  is used, are aware of their rights and are
  confident in using them

9
Changing customer expectations

• The new generation is a permission generation
• The Internet exposes people to privacy issues and
  tends to be an opt-in medium
• There is less excuse to miss the target or
  offend or annoy now that there is more
  understanding about database marketing

10
Taking Rights Seriously Data Protection the
ICO annual research
11
Audiences are increasingly data wise

• 58 of the general public know what an opt-out is
  
• There are 15m numbers registered on the Telephone
  Preference Service (MPS 3.6m)
• 82 of people in an Opt-4 survey were unhappy
  about giving details of their home phone number
  for future marketing

12
The media is having a field day

• JUNK MAIL AVALANCHE

Daily Mail Headline
13
SPAM is damaging the channel
Greatest threats to the adoption of email as a
channel
DMA National Email Benchmarking Survey Q1-Q3 2005
14
Identity theft concerns us all
Good heavens, Mavis. Its you! This woman must
have stolen your identity! Mack in the Daily Mail
15
(No Transcript)
16
(No Transcript)
17
Trust is everything

• Reputation is critical, especially if your
  audiences are conservative or you are providing a
  service they can live without
• Membership is about long term relationships
• Good targetting is what is now expected
• Data Security is a legal requirement for
  management, staff, volunteers and everyone who
  has access to personal data that you control
  should be trained to follow your rules
• There is a significant business risk in ignoring
  best practice even if it isnt required in
  absolute terms by the legislation

18
Individuals are taking action
19
So are you getting it right?

• Prevention is better than cure!

20
Does the privacy legislation apply to you?

• If you are processing data on living
  individuals then you have a requirement to notify
  the Information Commissioners Office of your
  proposed purposes and disclosure of the data.
  The ICO says that
• it is difficult to envisage any activity
  involving data which does not amount to
  processing
• However, whilst some not for profit organisations
  may be exempt, the Information Commissioner is
  tough on the terms of exemption
• As soon as you send marketing communications,
  conduct research or education programmes you are
  no longer exempt and should notify with the ICO

21
Types of Consent

• Opt-out Implied Consent
• Opt-in Explicit Consent
• Soft opt-in Applies to PECR only and may
  not apply to you

22
Collecting data

• Postal and landline details and all corporate
  data can be collected with an opt-out
• Email and mobile data may be collected with a
  soft opt-in or an opt-in
• Charities cannot use the soft opt-in when
  collecting email details in the course of a
  donation
• Sensitive data need to be collected with opt-in
• 3rd party uses need to be notified when
  collecting
• Scripting of permission statements is vital and
  needs to accommodate these rules

23
Opt out/in by medium - Corporate employees
24
Opt out/in by medium Individuals, sole traders,
partnerships (and their employees)
Except in Scotland
25
Opt out/in by medium charities (and their
employees)
Except in Scotland
26
Do your Fair Collection Notices pass the test?

• Identify the data controller (s)
• Say what will the information will be used for
• Give the data subject the opportunity to opt
  out/in to future marketing messages
• State how can the individual can opt out/in to
  3rd party marketing

27
Can you manage the permissions?

• Maintain a database of fair collection notices to
  manage amendments
• Record fair collection notices codes against
  every outbound effort
• Be able to track which fair collection notices
  members or supporters have been exposed to
• Retain source information for permission

28
Writing effective permission statements

• Use the tone of voice of your members
• Appeal to thrift cost efficient communication
• Fit the message to the audience -
  age/demographics business type
• Cover all future uses/channels to market
• Be clear about who is collecting the information
  (NB Trading arms/affiliated companies)
• Give them a reason to hand over information

29
Example for a charity - using empathy offering
opt-out

• Save the Data Protection Dodo would like to
  keep you informed about the work we are helping
  to make possible, but please let us know if
• ? You dont wish us to contact you about our
  work
• ? You dont wish us to send you a gift catalogue
  from Dodo Trading Ltd

30
Using empathy, getting opt-in

• To process your transaction, we will need to
  make a note of your contact details. We promise
  not to release your details to anyone outside of
  the xxxxx organisation and xxxxxxxxxx.
• We would like to send you information about our
  activities this will include news and
  information on how your membership fee is spent
  and how we can help to support you in the future.
  
• If you prefer us not to use your details this
  way, please tick here ?.
• Email is a very cost effective way for us to
  communicate with you, please complete your email
  address here so that we can send you information
  ..

31
Using empathy- third party use

• We will sometimes allow other organisations
  whose aims are similar to our own to contact our
  members.
• If you do not wish to hear from them by phone
  please tick this box ?.
• If you do not wish them to write to you please
  tick this box ?

32
Collecting Data Online

• Dont use pre-ticked boxes
• Present click through to privacy policy on the
  data collection screen
• Data collected via viral promotions may only be
  used once to gain future permission

33
Collecting sensitive data

• Sensitive data categories
• Ethnicity, politics, religion, trade union
  membership, health, sexual life, criminal
  offences/record
• Must be collected using opt-in
• Subject to strict security and access
• Should not be collected unless necessary
• Data collected from children must have verifiable
  parental consent

34
A few of the things I found on the websites of
some delegates

• Notification
• One organisation has notified to the ICO that
  they are Trading in Personal Information
• but this organisation does not appear to be
  collecting data fairly for its own use, let
  alone to trade data with third parties
• (there are no notices on the promotional
  material at all to advise individuals on why
  their data is being processed by this
  organisation and what they propose to do with it)

35
A few of the things I found on the websites of
some delegates

• Notification
• And this same organisation has not notified
  under the purpose of Information and Databank
  Administration
• Does that mean all transactions take place
  without a computer?

36
A few of the things I found on the websites of
some delegates

• Notification
• Worse still there are organisations sitting in
  this audience who process data but have not
  notified at all with the Information
  Commissioners office!

37
A few of the things I found on the websites of
some delegates

• Fair collection of data
• Another organisation collected personal data
  followed by the following data protection
  statements
• The Institution of ABCs will contact you about
  its products and services that may be relevant to
  you
• (there was no opportunity for individuals to
  object to further marketing messages or choose
  their preferred method of contact)
• If you would like to receive relevant business
  information from carefully selected and
  controlled business partners please indicate your
  preferred method of communication below
• I wish to receive third By email ?
• party mailings By post ?
• (post has been used as an opt-in channel where
  opt-out may be used legitimately and will
  increase the volume of data available for postal
  mailings)

38
Privacy and Cookie Policies

• In the UK, a Privacy Policy is no substitution
  for Data Protection notices, but should reinforce
  the companys commitment to the respect of an
  individuals privacy.

39
A few of the things I found on the websites of
some delegates

• Privacy and Cookie Policies
• One organisation had its PP in a pop up box (my
  computer wont accept pop up boxes)
• Another organisation gave the briefest
  description of its PP and directed readers to
  write in to find out what the PP was
• More than one other organisation did not have a
  PP at all, and one of them simply had a link to
  the ICO website www.ico.gov.uk with no
  explanation as to why

40
The value of correctly gathered permissions

• If you dont get permission you cannot offset the
  cost of acquisition against lifetime value
• Seeking permissions for the most cost effective
  channels means better ROI for future campaigns
• You can use the open channels to increase
  permissions
• Perhaps the easiest of channels to use is email,
  but be careful that doesnt generate a higher
  proportion of unsubscribes.

41
Holding on to permission value - Minimizing Email
Unsubscribes

• Remind them that they opted-in
• Suggest they add you to favourites
• Use the tone of voice in the unsubscribe message
  
• OK to attempt to persuade but not OK to impede
• Link to profile and let them choose what they do
  and dont want

42
Minimizing Email Unsubscribes

• We hope you've enjoyed hearing about our latest
  initiatives. We'd like to hear what you think!
• Send an email with your comments or suggestions
  to response_at_membership.com.
• If you would prefer not to receive emails about
  our work, please click the unsubscribe link at
  the end of this email

43
Minimizing Email Unsubscribes

• To make sure that vital news about all of our
  latest work continues to reach your in box,
  please add xxx_at_membership.com to your safe sender
  list, address book or contacts list.

44
Minimizing Email Unsubscribes

• Thank you for being one of the 93 who have not
  (yet!) asked to be deleted from our database.
  However, if you would like not to receive any
  more information from us please reply to
  delete44507_at_membership.com

45
Summary

• Membership organisations are not exempt from data
  protection rules and if you are a registered
  charity some rules are tougher
• Members expect high standards of compliance
• Getting the right permission at the start is
  vital
• Permission statements and unsubscribe messages
  need to be carefully worded
• Permissions must be carefully stored and managed

46
More information about data protection
www.opt-4.co.uk jenny.moseley_at_opt-4.co.uk