SMS Marketing – A Brief Guide to the Data Protection Act 1998
The Data Protection Act 1998 (DPA) is one of those laws that seems to be referenced regularly in the news and in conversation but many people are not clear on what it actually covers. Only this week has it appeared in the headlines again with London’s Royal Free Hospital breaching it by transferring 1.6 million patient records to Google’s DeepMind subsidiary without consent.
If your business collects, stores and uses other people’s personal data for purposes such as marketing and selling, then it is likely to apply to you. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust.
Why was the Act Passed?
The Data Protection Act 1998 (DPA) was passed by Parliament to control the storage and use of personal information by government, organisations and businesses and to provide legal rights to those whose details were being stored. It is enforced by the Information Commissioner’s Office (ICO).
The DPA was created in response to the rapidly growing use of computer technology in business in the latter half of the last century and the equally growing concerns about how information that could identify individuals was being handled. As it became routine for businesses to use computers to store databases of personal details about their staff, clients and customers, there were worries about the accessibility, accuracy and transfer of such databases.
What is Personal Data?
Personal data means any data or information relating to a living individual, who could be identified from it. This includes opinions about the individual. These individuals are also called ‘data subjects’ under the DPA. It covers all personal data being held for commercial purposes. Personal data held for domestic purposes such as an address book holding your friend’s contact details is not covered.
There are additional safeguards for ‘sensitive personal data’ which is information presumed by the Act to be private in nature and potentially could be used in a discriminatory way. This includes but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO.
Data Controllers & Processors
All businesses in the UK that hold or store personal data on computer or any organised paper filing system are required to register with the ICO and define whether they are data controllers or data processors. A data controller is the person and/or legal entity (for example, a limited company) who decides how and why personal data should be collected. An organisation can nominate a single person to oversee compliance with the DPA.
A data processor is a person or organisation which processes data on behalf of another. For example, a call centre business handling customer services for another company. They would need to access the contracting company’s collected data but the call centre is not responsible for deciding how and why the data is collected, that remains with the contracting company who would be the data controller in that case.
However, data processors are often still data controllers in their own right when they hold and process records for their own business ends, such as employee records. If it is unclear, the ICO will usually look at it as to who has decided the business purpose for which the data will be or has been collected.
When registering with the ICO, data controllers must give certain information in advance which includes their name and address, what data they intend to collect and store, what they propose to do with the data, whether they plan to pass the data onto third parties, whether the data will be transferred outside the EU for any reason and what measures they have in place to keep all data secure.
The Data Protection Principles
The Act sets out eight clear Data Protection Principles that must be followed. These principles rule that information must be:
- used fairly and lawfully
- used for limited and specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Conditions for Processing Personal Data
There are several conditions for processing, or using, personal data set out in the Act, of which data controllers must meet at least one. They are:
- That the data subject has given permission for the collection, storage and use of their data.
- The processing is necessary in relation to a contract or that the data subject has asked for something prior to entering a contract.
- Required because of a legal obligation that applies to the data controller (excluding contractual obligations).
- A need to protect the individual’s ‘vital interests’ (a life and death matter such as a hospital dealing with an emergency).
- Necessary for carrying out judicial, statutory, governmental or other public functions.
- That the processing meets the ‘legitimate interests’ condition.
The ‘legitimate interests’ condition is there to cover data controllers who have a legitimate purpose for processing the data but may not fit under the other conditions. An example would be a debt collection agency hired to recover a debt on behalf of a finance company.
The ICO is clear that meeting the conditions does not necessarily mean that the processing is being carried out fairly and/or lawfully and that data controllers should check carefully.
Exemptions
There are special circumstances where personal data is not covered under the remit of the DPA. There are full exemptions such as any data being held for a National Security reason and partial exemptions like the police or HMRC who do not have to disclose their case files to individuals. There are also exemptions from having to register for some businesses if their activity is limited but further clarification should be sought as it can be complex.
Data Subject Rights
Individuals or data subjects are given several rights under the DPA
- A right of subject access, meaning they can ask the data controller to provide a copy of the information held on them. Unless an exemption prevents release, the data controller must do this within 40 days of the request and charge no more than £10 for doing so.
- A right to prevent distress. A data subject could block the use of information if it could cause them distress.
- A right to prevent direct marketing. A data subject can reasonably request in writing that their details are not used for direct marketing.
- A right to prevent automated decisions, such as those used on loan application websites.
- A right of correction. A data subject is entitled to request that any mistakes are corrected.
- A right to compensation or damages if their personal data is compromised.
How Does it Apply to Businesses Using SMS Marketing?
In order to effectively market through SMS text messages, or indeed any other method of direct marketing, you need to maintain a database of your customer’s details. In essence, the DPA requires that if you intend to collect and store such information, you must check if you need to register with the ICO and you are responsible for making sure that this information is securely protected and used appropriately, fairly and legally. You must have consent from individuals to hold this information and you must respond promptly to any request by individuals regarding their personal data.
Every member of staff within a business that handles and controls personal data has a responsibility under the Data Protection Act 1998. All employees should be well trained to recognise their responsibility, think carefully about how they handle customer personal data and understand security procedures.
Failure to comply with the DPA can lead to enforcement action by the ICO which could range from advisory notices, undertakings and audits through to fines or even criminal prosecution.
The DPA is scheduled to be replaced in May 2018 by new EU regulations called the General Data Protection Regulations, so expect to hear and read a lot more about data protection laws in the news over the coming months. Watch out for more information from FastSMS to help explain the new changes.
At Fastsms, we offer some of the UK’s most competitively priced business bulk SMS solutions, supported by an award winning customer service team who you can trust to be at the ready 24/7. T0 learn more about just what we can offer your business, give us a call today on 0800 954 5303.
Disclaimer – This article is intended only as general information. It is not intended to be comprehensive or constitute legal advice. If you need help on a specific issue please seek advice from a qualified legal representative.
Further Information and Reading: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
Related Articles
SMS Marketing: Ensuring Compliance with the Law
All businesses are subject to the law when it comes to advertising and marketing. Companies cannot make false claims or mislead consumers via advertising materials, for example. Designed to protect consumers and commercial clients, the law regulates most forms of marketing in some way. With companies carrying out various forms of marketing activity, it can be difficult to keep on top of the relevant laws and guidelines. By working with SMS marketing experts, however, you can ensure that your marketing campaigns are fully compliant with the necessary laws and that you’re able to connect with your target audience lawfully and effectively.
Why Brits are Lucky When it Comes to SMS Spam
SMS spam is a problem worldwide. But in the UK, we’re less likely to get it than many other countries. Find out why that is, see some examples, and how you can do your part to keep your SMS messages free of spam.
Why Finance Companies Should Excel at SMS Messaging
One of the most interesting use cases for SMS messaging is the financial industry. Just a couple weeks ago I wrote a blog on 7 ways the financial industry can use SMS messaging to communicate with customers. In this blog I'll expand on the topic from a different perspective: personalisation.
What You Can Learn From a Bad SMS Message
In last week’s blog I covered how the Trump campaign sent unsolicited SMS messages to voters. This week I’m stuck on the same topic, but from a totally different angle: what we can learn from that failure. Because honestly, their biggest issue might not be violating the law. It might be the people they have writing their SMS messages. It’s time to dissect the message that spawned the law suit, and learn what we can from it.
What Your Customers Want From SMS Marketing
Mobile marketing offers an unprecedented access to your customers virtually any time, anywhere. This is particularly true for SMS marketing because it is “always on”. Customers don’t have to be surfing the web, or using an app to receive messages. Instead, they see the marketing messages right alongside ones from their friends and family.
SMS Marketing Disasters – and How to Avoid Them
SMS Marketing, also known as test message marketing, is one of today's most powerful and cost efficient marketing tools when used correctly and offers endless opportunities with a little creativity added to the mix. However, whether careless or intentional, some mistakes can be harmful to your brand and reputation - as well as leaving you in legal trouble in certain circumstances. Luckily, this is extremely rare and it is easy to stay safe and make sure your SMS Marketing is an all round success. In this article, we look at come examples of how not to do things and offer our advice for ensuring your campaigns are effective and profitable.
SMS Marketing – A Brief Guide to the Data Protection Act 1998
Any UK business that collects, stores and uses other people’s personal data for purposes such as marketing and selling is subject to the rules of the Data Protection Act, and those using SMS marketing are no exception. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust - as well as avoid the potentially costly consequences of falling foul of the law. Read this article to learn how to avoid the simple pitfalls and get your SMS marketing campaign off to the right start.
Best Practices for SMS Marketing
In many of our previous posts, we have discussed the whys and hows of SMS marketing, listing the benefits, and the impacts on lead generation. There’s no doubt that by employing a marketing strategy that uses business SMS as a medium that your processes will become more efficient and your leads will become more targeted, meaning a better ROI. Here we will look at the best practices for SMS marketing to ensure your campaigns are offering the best for you and your users.
Small Businesses Can Succeed with SMS Marketing
Is SMS marketing a viable strategy for SMEs to grow their businesses? A recent article by a US SMS provider suggests not but we debunk that view. Read how and why Fastsms can help small businesses can succeed with SMS marketing without breaking the bank.