To install Flash 9 plugin please click here.
If you are sure that Flash 9 plugin is installed, please check that Javascript is
enabled in your browser.
What is data protection?
I think consumers are becoming much more aware about data and data protection generally and what their rights are with regard to data protection. And, you know, I get asked quite a lot, you know, what is the Data Protection Act? And I think people do, companies do understand that there are, you know, there is an Act and that there are some things that they need to do with their data. I don’t think very many organisations are aware about the eight principles. Why should they be?
But I think what they do need to be aware of is the fact that you think about data in terms of what data have you got, you know, how accurate is that data? When you collected it, did you get the right permissions for that? How are you going to use that data? The Information Commissioner talks a lot about data minimisation – in other words, only keeping the amount of data that you really need. And then thinking about data from a data security perspective and not kind of leaving it open to data theft. And so really the Data Protection Act is all about helping companies ensure they consider data as the asset that it is, because if you lose it or if you abuse it can be a real liability.
Why should companies take data protection seriously?
I think companies should take data protection probably more seriously than they do and I think there are two main reasons for that. One is cost and one is the brand damage and impact loss of data can have on an organisation. So if I elaborate a little bit on that. From the cost perspective, if you think about the cost of inaccurate data – so mailings, people who’ve gone away or sadly have deceased – that can add significantly to a company’s mailing costs. If you take a typical mailing of maybe 100,000 items, goneaways run at about 6% during the life of a consumer file, so that could potentially cost you maybe up to £6,000 in wasted expenditure and that could also be a waste to the environment, too. So cost is one reason.
The second reason is really about kind of direct revenue implications and brand damage that losing data can have on an organisation. There are all sorts of examples where that’s been in the press and TK Maxx is an organisation where the data, the credit card records were hacked over a period of time and that has cost the company hugely both in terms of share loss, brand damage, the fact they had to communicate with all of their customers and explain what had happened. They got lawyers involved, consultants involved. It’s a huge diversion and a huge cost. So, you know, there are many key examples around why companies should think very carefully about protecting their data.
Are organisations aware of the implications of poor data protection?
I think there is some evidence that organisations are beginning to take data protection a little bit more seriously. When we look at organisations we use what we call a data governance maturity model and at the bottom end there are those companies that we kind of describe as being in denial, they’re not doing anything about it, they’re just burying their heads in the sand. And then there are some as you move up that curve who are kind of more reactive.
So if a breach happens or something happens with the quality of their data they react to that particular circumstance. But then there are more and more organisations who are beginning to take their data much more seriously and are looking at systemic ways of ensuring that their data is accurate and that it’s properly permissioned and that they’ve got all the necessary data security elements in place.
So I guess one of the key issues is, what action are companies taking as a result of becoming slightly more aware? And I think one of the key things that we see is that there are more organisations bringing together sort of data governance teams which involves groups of people from within the IT department as well as people from within marketing departments because for so long I think, you know, data protection has been seen as an IT issue and marketing databases are a marketing issue but actually they do really need to come together and work together. Other organisations are asking for data protection audits to, again, get a bit of a feel as to whether or not they’re compliant. So I think there is more action being taken, yes.
How can organisations improve their data protection?
So if I had to give organisations a little bit of advice as to what to do to be more compliant with the Data Protection Act, I think I’d start by saying, well, think about data as if it were cash in your business. It is a major business asset and companies need to view it like that. I’d then suggest that perhaps they ought to do an audit of their company’s data so they can see whether it’s accurate, how it’s been collected, that kind of thing.
I’d suggest they look at data security, again, to make sure that the data that they hold is being held in a secure way. If they use third parties in any way to process that data or data capture, again, I’d suggest that they look very closely at the contracts that they have in place with those third parties. If the data leaves the company in any way I’d suggest they put some kind of seeds or kind of dummy data into the database so that, again, if it’s misused or stolen they can track that in some way.
Other things companies can do I think is really to train their staff in really understanding that data is an asset and making sure that they understand the rules that their company have put in place to keep that data secure. Other things that you might consider doing is looking at some of the standards that exist in the industry. The BSI, the British Standards Institute, has just introduced a new standard around data protection and keeping data secure, so that’s one that people might think about. But really it’s all about making sure that data is an asset and it should be viewed as such.
Is enough being done by those in authority?
We’re quite often asked whether the ICO, the Information Commissioner, actually has enough powers and is enough being done by those in authority to, you know, prosecute companies who, you know, fall foul of the Data Protection Act and I think the ICO probably does need a little bit more teeth.
There is a new set of powers that are coming into place which does enable him to fine companies for kind of undisclosed monetary penalties but it does have to be, you know, quite severe and almost like a deliberate breach of the Data Protection Act. So I think I would like to see probably a little bit more penalties being provided, but at the end of the day it’s about companies and organisations themselves viewing the data as something that is valuable to them and that’s really when then change in attitudes I think will come.
And I think the doomsday scenario if you like is that if companies don’t self regulate then some of the legislation that has just come into force in Germany where individuals now have to opt in to mailings in order to receive them, that kind of legislation will come our way, you know, there is already a lot of talk about that. So it is very much about ensuring that UK plc gets its act together otherwise the EU legislation will happen to us and it will make marketing much more difficult for those who are involved in the direct marketing industry.