SMS Marketing – A Brief Guide to the Data Protection Act 1998
The Data Protection Act 1998 (DPA) is one of those laws that seems to be referenced regularly in the news and in conversation but many people are not clear on what it actually covers. Only this week has it appeared in the headlines again with London’s Royal Free Hospital breaching it by transferring 1.6 million patient records to Google’s DeepMind subsidiary without consent.
If your business collects, stores and uses other people’s personal data for purposes such as marketing and selling, then it is likely to apply to you. Having a basic understanding of the DPA legislation and its main requirements is useful to maintain best practice in direct marketing such as SMS marketing and also helps to uphold your hard won customer trust.
Why was the Act Passed?
The Data Protection Act 1998 (DPA) was passed by Parliament to control the storage and use of personal information by government, organisations and businesses and to provide legal rights to those whose details were being stored. It is enforced by the Information Commissioner’s Office (ICO).
The DPA was created in response to the rapidly growing use of computer technology in business in the latter half of the last century and the equally growing concerns about how information that could identify individuals was being handled. As it became routine for businesses to use computers to store databases of personal details about their staff, clients and customers, there were worries about the accessibility, accuracy and transfer of such databases.
What is Personal Data?
Personal data means any data or information relating to a living individual, who could be identified from it. This includes opinions about the individual. These individuals are also called ‘data subjects’ under the DPA. It covers all personal data being held for commercial purposes. Personal data held for domestic purposes such as an address book holding your friend’s contact details is not covered.
There are additional safeguards for ‘sensitive personal data’ which is information presumed by the Act to be private in nature and potentially could be used in a discriminatory way. This includes but is not limited to; race, sexual life, religious beliefs, political beliefs, health and potential criminal proceedings involving the individual. Any business processing sensitive data needs to meet exacting conditions to do so which are laid out by the ICO.
Data Controllers & Processors
All businesses in the UK that hold or store personal data on computer or any organised paper filing system are required to register with the ICO and define whether they are data controllers or data processors. A data controller is the person and/or legal entity (for example, a limited company) who decides how and why personal data should be collected. An organisation can nominate a single person to oversee compliance with the DPA.
A data processor is a person or organisation which processes data on behalf of another. For example, a call centre business handling customer services for another company. They would need to access the contracting company’s collected data but the call centre is not responsible for deciding how and why the data is collected, that remains with the contracting company who would be the data controller in that case.
However, data processors are often still data controllers in their own right when they hold and process records for their own business ends, such as employee records. If it is unclear, the ICO will usually look at it as to who has decided the business purpose for which the data will be or has been collected.
When registering with the ICO, data controllers must give certain information in advance which includes their name and address, what data they intend to collect and store, what they propose to do with the data, whether they plan to pass the data onto third parties, whether the data will be transferred outside the EU for any reason and what measures they have in place to keep all data secure.
The Data Protection Principles
The Act sets out eight clear Data Protection Principles that must be followed. These principles rule that information must be:
- used fairly and lawfully
- used for limited and specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Conditions for Processing Personal Data
There are several conditions for processing, or using, personal data set out in the Act, of which data controllers must meet at least one. They are:
- That the data subject has given permission for the collection, storage and use of their data.
- The processing is necessary in relation to a contract or that the data subject has asked for something prior to entering a contract.
- Required because of a legal obligation that applies to the data controller (excluding contractual obligations).
- A need to protect the individual’s ‘vital interests’ (a life and death matter such as a hospital dealing with an emergency).
- Necessary for carrying out judicial, statutory, governmental or other public functions.
- That the processing meets the ‘legitimate interests’ condition.
The ‘legitimate interests’ condition is there to cover data controllers who have a legitimate purpose for processing the data but may not fit under the other conditions. An example would be a debt collection agency hired to recover a debt on behalf of a finance company.
The ICO is clear that meeting the conditions does not necessarily mean that the processing is being carried out fairly and/or lawfully and that data controllers should check carefully.
There are special circumstances where personal data is not covered under the remit of the DPA. There are full exemptions such as any data being held for a National Security reason and partial exemptions like the police or HMRC who do not have to disclose their case files to individuals. There are also exemptions from having to register for some businesses if their activity is limited but further clarification should be sought as it can be complex.
Data Subject Rights
Individuals or data subjects are given several rights under the DPA
- A right of subject access, meaning they can ask the data controller to provide a copy of the information held on them. Unless an exemption prevents release, the data controller must do this within 40 days of the request and charge no more than £10 for doing so.
- A right to prevent distress. A data subject could block the use of information if it could cause them distress.
- A right to prevent direct marketing. A data subject can reasonably request in writing that their details are not used for direct marketing.
- A right to prevent automated decisions, such as those used on loan application websites.
- A right of correction. A data subject is entitled to request that any mistakes are corrected.
- A right to compensation or damages if their personal data is compromised.
How Does it Apply to Businesses Using SMS Marketing?
In order to effectively market through SMS text messages, or indeed any other method of direct marketing, you need to maintain a database of your customer’s details. In essence, the DPA requires that if you intend to collect and store such information, you must check if you need to register with the ICO and you are responsible for making sure that this information is securely protected and used appropriately, fairly and legally. You must have consent from individuals to hold this information and you must respond promptly to any request by individuals regarding their personal data.
Every member of staff within a business that handles and controls personal data has a responsibility under the Data Protection Act 1998. All employees should be well trained to recognise their responsibility, think carefully about how they handle customer personal data and understand security procedures.
Failure to comply with the DPA can lead to enforcement action by the ICO which could range from advisory notices, undertakings and audits through to fines or even criminal prosecution.
The DPA is scheduled to be replaced in May 2018 by new EU regulations called the General Data Protection Regulations, so expect to hear and read a lot more about data protection laws in the news over the coming months. Watch out for more information from FastSMS to help explain the new changes.
At Fastsms, we offer some of the UK’s most competitively priced business bulk SMS solutions, supported by an award winning customer service team who you can trust to be at the ready 24/7. T0 learn more about just what we can offer your business, give us a call today on 0800 954 5303.
Disclaimer – This article is intended only as general information. It is not intended to be comprehensive or constitute legal advice. If you need help on a specific issue please seek advice from a qualified legal representative.
Further Information and Reading: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
Four years ago, reputable commentators in The Guardian were wondering if SMS - short message service or text messaging - had peaked in performance after a two-decade exponential rise. Here we look at the evidence which shows that SMS is not only going strong, but continuing to stand out as an essential marketing channel for many businesses.
When conducting an SMS marketing campaign, there are a number of compliance regulations you should be aware of, to ensure that your communications are as effective as possible, without being potentially damaging to your campaign or your business. If you're marketing to a UK market, the UK Privacy and Electronic Communications Regulations (PECR) gives clear guidelines on what falls within the rules. Here we've highlighted some key tips to ensure your next campaign is compliant, based on common questions that arise.
Starting an SMS marketing campaign can be a daunting task. Gathering explicit opt ins can take time, as you need to make an investment in advertising. So why not just get a jumpstart and buy a list of mobile numbers from an organisation that already has the opt ins? You could do that, but it’s probably harder than just getting people to opt in on their own. Here’s why.
Executed properly, SMS direct marketing is a hugely effective and successful means of building customer loyalty and improving sales. But even genuine and honest marketing companies can suffer huge damage to reputation or even break the law through simply lacking knowledge or not double-checking before releasing campaigns. Read this article to learn more about the definitions of spamming and harassment, current UK law and how to avoid simple but costly mistakes.
Is SMS marketing the worst idea ever? That’s the opinion of one author in Entrepreneur Magazine. He gives five reasons why companies should never bother sending SMS messages to customers. I take him on, point by point to show why he’s wrong and SMS marketing is the best idea ever.
In last week’s blog I covered how the Trump campaign sent unsolicited SMS messages to voters. This week I’m stuck on the same topic, but from a totally different angle: what we can learn from that failure. Because honestly, their biggest issue might not be violating the law. It might be the people they have writing their SMS messages. It’s time to dissect the message that spawned the law suit, and learn what we can from it.
Yet another company (Quigley and Carter Limited) have been fined by the ICO for not having permission to send SMS messages. In this case, they had outsourced their marketing to a third party who then sent messages on their behalf. So is staying compliant with the regulations regarding SMS messaging so difficult? It doesn’t have to be.
Can you send SMS messages to whoever you like whenever you like? If that's what you believe read this article which explains what restrictions apply to broadcast messaging, what is the best way to build a permission based SMS marketing list. Understand that and you can safely make a start.