SMS Marketing – A Brief Guide to the Data Protection Act 1998
The Data Protection Act 1998 (DPA) is one of those laws that seems to be referenced regularly in the news and in conversation but many people are not clear on what it actually covers. Only this week has it appeared in the headlines again with London’s Royal Free Hospital breaching it by transferring 1.6 million patient records to Google’s DeepMind subsidiary without consent.
If your business collects, stores and uses other people’s personal data for purposes such as marketing and selling, then it is likely to apply to you. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust.
Why was the Act Passed?
The Data Protection Act 1998 (DPA) was passed by Parliament to control the storage and use of personal information by government, organisations and businesses and to provide legal rights to those whose details were being stored. It is enforced by the Information Commissioner’s Office (ICO).
The DPA was created in response to the rapidly growing use of computer technology in business in the latter half of the last century and the equally growing concerns about how information that could identify individuals was being handled. As it became routine for businesses to use computers to store databases of personal details about their staff, clients and customers, there were worries about the accessibility, accuracy and transfer of such databases.
What is Personal Data?
Personal data means any data or information relating to a living individual, who could be identified from it. This includes opinions about the individual. These individuals are also called ‘data subjects’ under the DPA. It covers all personal data being held for commercial purposes. Personal data held for domestic purposes such as an address book holding your friend’s contact details is not covered.
There are additional safeguards for ‘sensitive personal data’ which is information presumed by the Act to be private in nature and potentially could be used in a discriminatory way. This includes but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO.
Data Controllers & Processors
All businesses in the UK that hold or store personal data on computer or any organised paper filing system are required to register with the ICO and define whether they are data controllers or data processors. A data controller is the person and/or legal entity (for example, a limited company) who decides how and why personal data should be collected. An organisation can nominate a single person to oversee compliance with the DPA.
A data processor is a person or organisation which processes data on behalf of another. For example, a call centre business handling customer services for another company. They would need to access the contracting company’s collected data but the call centre is not responsible for deciding how and why the data is collected, that remains with the contracting company who would be the data controller in that case.
However, data processors are often still data controllers in their own right when they hold and process records for their own business ends, such as employee records. If it is unclear, the ICO will usually look at it as to who has decided the business purpose for which the data will be or has been collected.
When registering with the ICO, data controllers must give certain information in advance which includes their name and address, what data they intend to collect and store, what they propose to do with the data, whether they plan to pass the data onto third parties, whether the data will be transferred outside the EU for any reason and what measures they have in place to keep all data secure.
The Data Protection Principles
The Act sets out eight clear Data Protection Principles that must be followed. These principles rule that information must be:
- used fairly and lawfully
- used for limited and specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Conditions for Processing Personal Data
There are several conditions for processing, or using, personal data set out in the Act, of which data controllers must meet at least one. They are:
- That the data subject has given permission for the collection, storage and use of their data.
- The processing is necessary in relation to a contract or that the data subject has asked for something prior to entering a contract.
- Required because of a legal obligation that applies to the data controller (excluding contractual obligations).
- A need to protect the individual’s ‘vital interests’ (a life and death matter such as a hospital dealing with an emergency).
- Necessary for carrying out judicial, statutory, governmental or other public functions.
- That the processing meets the ‘legitimate interests’ condition.
The ‘legitimate interests’ condition is there to cover data controllers who have a legitimate purpose for processing the data but may not fit under the other conditions. An example would be a debt collection agency hired to recover a debt on behalf of a finance company.
The ICO is clear that meeting the conditions does not necessarily mean that the processing is being carried out fairly and/or lawfully and that data controllers should check carefully.
Exemptions
There are special circumstances where personal data is not covered under the remit of the DPA. There are full exemptions such as any data being held for a National Security reason and partial exemptions like the police or HMRC who do not have to disclose their case files to individuals. There are also exemptions from having to register for some businesses if their activity is limited but further clarification should be sought as it can be complex.
Data Subject Rights
Individuals or data subjects are given several rights under the DPA
- A right of subject access, meaning they can ask the data controller to provide a copy of the information held on them. Unless an exemption prevents release, the data controller must do this within 40 days of the request and charge no more than £10 for doing so.
- A right to prevent distress. A data subject could block the use of information if it could cause them distress.
- A right to prevent direct marketing. A data subject can reasonably request in writing that their details are not used for direct marketing.
- A right to prevent automated decisions, such as those used on loan application websites.
- A right of correction. A data subject is entitled to request that any mistakes are corrected.
- A right to compensation or damages if their personal data is compromised.
How Does it Apply to Businesses Using SMS Marketing?
In order to effectively market through SMS text messages, or indeed any other method of direct marketing, you need to maintain a database of your customer’s details. In essence, the DPA requires that if you intend to collect and store such information, you must check if you need to register with the ICO and you are responsible for making sure that this information is securely protected and used appropriately, fairly and legally. You must have consent from individuals to hold this information and you must respond promptly to any request by individuals regarding their personal data.
Every member of staff within a business that handles and controls personal data has a responsibility under the Data Protection Act 1998. All employees should be well trained to recognise their responsibility, think carefully about how they handle customer personal data and understand security procedures.
Failure to comply with the DPA can lead to enforcement action by the ICO which could range from advisory notices, undertakings and audits through to fines or even criminal prosecution.
The DPA is scheduled to be replaced in May 2018 by new EU regulations called the General Data Protection Regulations, so expect to hear and read a lot more about data protection laws in the news over the coming months. Watch out for more information from FastSMS to help explain the new changes.
At Fastsms, we offer some of the UK’s most competitively priced business bulk SMS solutions, supported by an award winning customer service team who you can trust to be at the ready 24/7. T0 learn more about just what we can offer your business, give us a call today on 0800 954 5303.
Disclaimer – This article is intended only as general information. It is not intended to be comprehensive or constitute legal advice. If you need help on a specific issue please seek advice from a qualified legal representative.
Further Information and Reading: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
Related Articles
What Not to Do When the ICO Comes Calling
The regulations about SMS marketing are quite clear. But sometimes people, and companies, can make mistakes. Find out what happened to a company that reacted poorly to the ICO’s request for information, and how it made their situation so much worse.
What You Can Learn About SMS Marketing from These 7 Companies
The Information Commissioner’s Office (ICO) issued seven monetary penalties against companies this year. We’ve read through them all – so you don’t have to – and discovered two lessons every company should learn about SMS marketing if they want to be successful.
The ONE Thing You Never Want To Do In SMS Marketing
"UK B2C data for SMS marketing" - That was the search result headline I found while researching online. Interesting I thought. It must be relating to SMS marketing statistics for B2C (business to consumer) sales. Since I was searching for some updated information and studies about SMS I decided to click and read.
The price for being funny in an SMS message
A Demonstration on How Not to Build Your SMS List
Over the last month or so I've signed up for quite a lot of webinars. I'm always trying to learn more about technology, marketing, best practices – you get the idea. So I've been excited to see many organisations offering SMS reminders for webinars. But there is one experience I had with an SMS reminder for a webinar that I simply had to share.
SMS Marketing – Should You Buy a List?
Starting an SMS marketing campaign can be a daunting task. Gathering explicit opt ins can take time, as you need to make an investment in advertising. So why not just get a jumpstart and buy a list of mobile numbers from an organisation that already has the opt ins? You could do that, but it’s probably harder than just getting people to opt in on their own. Here’s why.
What You Can Learn From a Bad SMS Message
In last week’s blog I covered how the Trump campaign sent unsolicited SMS messages to voters. This week I’m stuck on the same topic, but from a totally different angle: what we can learn from that failure. Because honestly, their biggest issue might not be violating the law. It might be the people they have writing their SMS messages. It’s time to dissect the message that spawned the law suit, and learn what we can from it.
3 Compliance Tips for Your Next SMS Marketing Campaign
When conducting an SMS marketing campaign, there are a number of compliance regulations you should be aware of, to ensure that your communications are as effective as possible, without being potentially damaging to your campaign or your business. If you're marketing to a UK market, the UK Privacy and Electronic Communications Regulations (PECR) gives clear guidelines on what falls within the rules. Here we've highlighted some key tips to ensure your next campaign is compliant, based on common questions that arise.