SMS Marketing – A Brief Guide to the Data Protection Act 1998
The Data Protection Act 1998 (DPA) is one of those laws that seems to be referenced regularly in the news and in conversation but many people are not clear on what it actually covers. Only this week has it appeared in the headlines again with London’s Royal Free Hospital breaching it by transferring 1.6 million patient records to Google’s DeepMind subsidiary without consent.
If your business collects, stores and uses other people’s personal data for purposes such as marketing and selling, then it is likely to apply to you. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust.
Why was the Act Passed?
The Data Protection Act 1998 (DPA) was passed by Parliament to control the storage and use of personal information by government, organisations and businesses and to provide legal rights to those whose details were being stored. It is enforced by the Information Commissioner’s Office (ICO).
The DPA was created in response to the rapidly growing use of computer technology in business in the latter half of the last century and the equally growing concerns about how information that could identify individuals was being handled. As it became routine for businesses to use computers to store databases of personal details about their staff, clients and customers, there were worries about the accessibility, accuracy and transfer of such databases.
What is Personal Data?
Personal data means any data or information relating to a living individual, who could be identified from it. This includes opinions about the individual. These individuals are also called ‘data subjects’ under the DPA. It covers all personal data being held for commercial purposes. Personal data held for domestic purposes such as an address book holding your friend’s contact details is not covered.
There are additional safeguards for ‘sensitive personal data’ which is information presumed by the Act to be private in nature and potentially could be used in a discriminatory way. This includes but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO.
Data Controllers & Processors
All businesses in the UK that hold or store personal data on computer or any organised paper filing system are required to register with the ICO and define whether they are data controllers or data processors. A data controller is the person and/or legal entity (for example, a limited company) who decides how and why personal data should be collected. An organisation can nominate a single person to oversee compliance with the DPA.
A data processor is a person or organisation which processes data on behalf of another. For example, a call centre business handling customer services for another company. They would need to access the contracting company’s collected data but the call centre is not responsible for deciding how and why the data is collected, that remains with the contracting company who would be the data controller in that case.
However, data processors are often still data controllers in their own right when they hold and process records for their own business ends, such as employee records. If it is unclear, the ICO will usually look at it as to who has decided the business purpose for which the data will be or has been collected.
When registering with the ICO, data controllers must give certain information in advance which includes their name and address, what data they intend to collect and store, what they propose to do with the data, whether they plan to pass the data onto third parties, whether the data will be transferred outside the EU for any reason and what measures they have in place to keep all data secure.
The Data Protection Principles
The Act sets out eight clear Data Protection Principles that must be followed. These principles rule that information must be:
- used fairly and lawfully
- used for limited and specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Conditions for Processing Personal Data
There are several conditions for processing, or using, personal data set out in the Act, of which data controllers must meet at least one. They are:
- That the data subject has given permission for the collection, storage and use of their data.
- The processing is necessary in relation to a contract or that the data subject has asked for something prior to entering a contract.
- Required because of a legal obligation that applies to the data controller (excluding contractual obligations).
- A need to protect the individual’s ‘vital interests’ (a life and death matter such as a hospital dealing with an emergency).
- Necessary for carrying out judicial, statutory, governmental or other public functions.
- That the processing meets the ‘legitimate interests’ condition.
The ‘legitimate interests’ condition is there to cover data controllers who have a legitimate purpose for processing the data but may not fit under the other conditions. An example would be a debt collection agency hired to recover a debt on behalf of a finance company.
The ICO is clear that meeting the conditions does not necessarily mean that the processing is being carried out fairly and/or lawfully and that data controllers should check carefully.
There are special circumstances where personal data is not covered under the remit of the DPA. There are full exemptions such as any data being held for a National Security reason and partial exemptions like the police or HMRC who do not have to disclose their case files to individuals. There are also exemptions from having to register for some businesses if their activity is limited but further clarification should be sought as it can be complex.
Data Subject Rights
Individuals or data subjects are given several rights under the DPA
- A right of subject access, meaning they can ask the data controller to provide a copy of the information held on them. Unless an exemption prevents release, the data controller must do this within 40 days of the request and charge no more than £10 for doing so.
- A right to prevent distress. A data subject could block the use of information if it could cause them distress.
- A right to prevent direct marketing. A data subject can reasonably request in writing that their details are not used for direct marketing.
- A right to prevent automated decisions, such as those used on loan application websites.
- A right of correction. A data subject is entitled to request that any mistakes are corrected.
- A right to compensation or damages if their personal data is compromised.
How Does it Apply to Businesses Using SMS Marketing?
In order to effectively market through SMS text messages, or indeed any other method of direct marketing, you need to maintain a database of your customer’s details. In essence, the DPA requires that if you intend to collect and store such information, you must check if you need to register with the ICO and you are responsible for making sure that this information is securely protected and used appropriately, fairly and legally. You must have consent from individuals to hold this information and you must respond promptly to any request by individuals regarding their personal data.
Every member of staff within a business that handles and controls personal data has a responsibility under the Data Protection Act 1998. All employees should be well trained to recognise their responsibility, think carefully about how they handle customer personal data and understand security procedures.
Failure to comply with the DPA can lead to enforcement action by the ICO which could range from advisory notices, undertakings and audits through to fines or even criminal prosecution.
The DPA is scheduled to be replaced in May 2018 by new EU regulations called the General Data Protection Regulations, so expect to hear and read a lot more about data protection laws in the news over the coming months. Watch out for more information from FastSMS to help explain the new changes.
At Fastsms, we offer some of the UK’s most competitively priced business bulk SMS solutions, supported by an award winning customer service team who you can trust to be at the ready 24/7. T0 learn more about just what we can offer your business, give us a call today on 0800 954 5303.
Disclaimer – This article is intended only as general information. It is not intended to be comprehensive or constitute legal advice. If you need help on a specific issue please seek advice from a qualified legal representative.
Further Information and Reading: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
Any UK business that collects, stores and uses other people’s personal data for purposes such as marketing and selling is subject to the rules of the Data Protection Act, and those using SMS marketing are no exception. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust - as well as avoid the potentially costly consequences of falling foul of the law. Read this article to learn how to avoid the simple pitfalls and get your SMS marketing campaign off to the right start.
All businesses are subject to the law when it comes to advertising and marketing. Companies cannot make false claims or mislead consumers via advertising materials, for example. Designed to protect consumers and commercial clients, the law regulates most forms of marketing in some way. With companies carrying out various forms of marketing activity, it can be difficult to keep on top of the relevant laws and guidelines. By working with SMS marketing experts, however, you can ensure that your marketing campaigns are fully compliant with the necessary laws and that you’re able to connect with your target audience lawfully and effectively.
One of the major metrics in SMS marketing is how many people opt in to receive your messages. But there’s a flip side to that metric: how many people opt out. In the ideal world, no one would ever leave your list and instead continue to make purchases or support your organisation for as long as you decide to message them.
Late last month reports surfaced that the Trump US presidential campaign had sent unsolicited SMS messages to voters in the Chicago area. One man, Joshua Thorne, and his lawyers have filed a class-action lawsuit alleging the Trump Campaign violated the Telephone Consumer Protection Act (TCPA, the US equivalent of the PECR).
Can you send SMS messages to whoever you like whenever you like? If that's what you believe read this article which explains what restrictions apply to broadcast messaging, what is the best way to build a permission based SMS marketing list. Understand that and you can safely make a start.
SMS Marketing, also known as test message marketing, is one of today's most powerful and cost efficient marketing tools when used correctly and offers endless opportunities with a little creativity added to the mix. However, whether careless or intentional, some mistakes can be harmful to your brand and reputation - as well as leaving you in legal trouble in certain circumstances. Luckily, this is extremely rare and it is easy to stay safe and make sure your SMS Marketing is an all round success. In this article, we look at come examples of how not to do things and offer our advice for ensuring your campaigns are effective and profitable.
In last week’s blog I covered how the Trump campaign sent unsolicited SMS messages to voters. This week I’m stuck on the same topic, but from a totally different angle: what we can learn from that failure. Because honestly, their biggest issue might not be violating the law. It might be the people they have writing their SMS messages. It’s time to dissect the message that spawned the law suit, and learn what we can from it.
The UK may be leaving the EU, but the GDPR is still coming. Find out what it means for your business, and your SMS messaging, in our post that looks ahead and reviews the ICO guidance to prepare for the new rules.
When you start using SMS marketing, one of the first decisions you need to make is whether or not you’ll need to get replies. If you do, then you’ll need to decide between shortcodes and a virtual mobile number (VMN, also called longcode). If you don’t, then that’s alright too.