This is governed by the Data Protection Act 1998 (the Act) which implemented the 1995 EU Directive. The Act can relate to personal data, which includes name, address, telephone number, mobile phone number, email address (including a work email address) and the processing of such data. Processing includes obtaining, recording, holding or altering lists of customers/ prospective customers.
The Act therefore applies to all types of sales promotion which involve the use of information about individuals. The Information Commissioner’s Office (ICO) deals with the administration of the Act and runs the notification system. All organisations that decide the purposes for which personal data is to be processed and the manner in which such personal data is to be processed are defined as data controllers under the Act.
They may outsource the data processing to data processors. Data controllers have to notify with the OIC annually and pay a fee which is currently £35. The OIC also deals with enforcement of the Act and provides guidance on interpretation of the Act.
The Act lays down eight key principles:
Personal data must:
- Be fairly and lawfully processed.
If, for example, you are using the sales promotion as a data collection incentive you must:
- State the identity of the promoter
- State the purposes for which you are going to use the data (e.g. to send the entrant further details of products and services offered by the promoter).
- Ensure that processing is fair (for example, if you want to send the data out of the European Economic Area the individual should be informed of this)
- Only processed for one or more specified purposes
This requires you to state the purposes for which the personal data collected as a result of the promotion is going to be used in the future – which may include marketing the promoter’s goods and services – and limit the processing of that data to these purposes
- Be adequate, relevant and not excessive
You should identify the minimum amount of information that is required in order to fulfil the relevant purpose(s) for processing and set the amount and nature of information gathered accordingly.
- Be kept accurate and up to date
Personal data must not be incorrect or misleading on any factual matter and you should take reasonable steps to ensure the accuracy of the data.
- Kept for no longer than is necessary
The fifth principle is perhaps the hardest of the principles for companies to interpret. Whilst no clear interpretation is given in the Information Commissioner’s Office guidance papers or indeed within the Data Protection Act itself, personal data should be reviewed regularly and data that is no longer required should be discarded.
- Only be processed in accordance with the individuals (defined as a ‘data subject’ in the Act) rights.
Individuals have the right to opt out of receiving further direct marketing from the company running the sales promotion and from having their details passed on to third parties.
If intending to market to individuals by post or telephone, the easiest way to do this is by having two opt-out boxes on the form such as ‘Please tick here if you do not want to receive details of our products and services’ and ‘Please tick here if you do not want your details passed on to third parties’.
If you want to be able to share the details with group companies then it is advisable to add a further tick box ‘Please tick here if you do not want your details to be passed on to other group companies’.
If you offer entrants the opt-out boxes and they don’t tick them then you can continue to send marketing material to them by post or telephone, provided they are not registered on the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) (for B2B promotions).
The Privacy in Electronic Communications Directive means you are unable to send unsolicited email or SMS messages to consumers unless they have given their prior consent.
You are able to send email and SMS messages to customers with whom you have an existing relationship on an opt-out basis, provided certain conditions are met.
You should also be aware that individuals have the right to ask for a copy of all the information a business holds about them. The maximum fee a business can charge for providing this information is £10.
- Be kept secure
Using passwords to restrict access to customer records and keeping audit trails of access and who made changes are examples of practices that help achieve compliance.
Employing reliable staff who are then regularly trained in their obligations in handling personal data is also crucial for compliance with this principle.
- Not be transferred to countries outside the European Economic Area (15 member states of the European Union + Iceland, Liechtenstein and Norway)
If you are transferring data to countries outside the EEA the best method is to take legal advice from the DMA Legal Team as this is a complex and ever changing area.
See also the Direct Marketing Rules of the CAP Code-section on database practice.