Burnetts logo

Data Danger

It’s now quicker and cheaper than ever to keep in touch so we all receive a daily glut of marketing emails from companies we do business with, as well as many we have never heard of.

Many entrepreneurs will have spent the Christmas break thinking about new ways to develop their businesses but before you resolve to boost your bottom line with a state-of-the-art electronic newsletter, you should be aware of your responsibilities under the Data Protection Act 1998, the “E-Commerce” Regulations 2002 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The Data Protection Act applies to any organisation which processes personal data i.e. data which relates to a living individual who can be identified from data it holds. This could cover supplier information as well as information on customers which you use for your marketing.   A person’s name and address in a marketing database is personal data.

If you process personal data, you may have to be registered with the Information Commissioner’s Office (ICO). Failure to notify the ICO is a criminal offence. For most organisations, the annual fee to notify is just £35 (no VAT). The process is reasonably straightforward so don’t be conned by companies offering to help with your registration or claiming a much higher fee.

Organisations processing data must comply with the Act’s eight principles of data protection which include requirements that data is fairly and lawfully processed, processed for specific purposes, is accurate and up to date, and processed in line with individuals’ rights.  Details of all eight principles of good information handling are available at the ICO website.
You should also be aware that an individual’s personal details may be bought and sold (for example, as part of a mailing list) but only with the consent of the person concerned to their information being used for direct marketing. If you are thinking of buying a mailing list, you should, at least, get written confirmation from the seller that the people named in it have given that consent.

The “E-Commerce” Regulations provide that any form of electronic message designed to promote a supplier must be identified as a commercial communication and specify the organisation on whose behalf it was sent.  In addition, these Regulations provide that unsolicited commercial e-mails (“spam”) must be clearly identifiable as such so that the recipient can choose to delete the message unread.  The recipient may also, under the Data Protection Act, require the deletion of their data from your direct marketing list at any time.

There are additional rules governing email communications under the Privacy and Electronic Communications Regulations. Under these Regulations (and the Data Protection Act) you should only send electronic marketing material to individuals who have given their permission for you to do so.  Permission cannot be presumed from a failure to respond – it must be granted by a positive act.  The exception is a “soft opt-in”, which applies where you are marketing your products to individuals whose details you have gathered in the process of a previous sale and where the individual had the opportunity to refuse direct marketing messages when they first gave you their details.  It is essential that an opportunity to opt out is included in every email and that you act promptly on such opt outs.  You must also include a full postal address in your communication.  The ICO has published a Good Practice Note on email marketing which is available from the ICO website.

The ICO has legal powers to ensure that organisations comply with the requirements of both the Data Protection Act and the Privacy and Electronic Communications Regulations (and it is a criminal offence to fail to comply with an enforcement notice).

E-newsletters and direct mailings are effective means of communicating with customers, but don’t run the risk of damaging your business by sending unwanted material using out of date or incorrect contact details.

Vaughan Jones is a Partner at Burnetts in Carlisle and Newcastle. For advice on how data protection legislation affects your business, contact Vaughan on 01228 552222 or visit www.burnetts.co.uk

About the author

Vaughan Jones profile photo

Vaughan Jones

Vaughan Jones is Partnership Chair and a specialist in Corporate Law.

Published: Thursday 7th January 2010
Categorised: Corporate Law, Information Law

All Factsheets