1. Institute of Fundraising
Supporter Care &
Stewardship
Friday 21st September 2012
Data Protection
Janine Paterson
DMA Solicitor

2. Overview
• Data Protection Act
• Marketing
• Potential changes in the future

3. Data Protection Act 1998
• Privacy - a topic in the UK and Europe for over
60 years
• Data Protection Act 1984 – minimum
implementation in the UK
• 1995 Data Protection Directive – became DPA
1998
• Privacy and Electronic Communications
Regulations 2003 and 2011

4. 8 Principles
Personal data are:
• Processed fairly and lawfully
• Processed only for specified and lawful purpose(s)
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Subject to rights of data subjects
• Technical/organisational means to prevent unlawful or
unauthorised processing
• Transferred outside EEA only if adequate security
• All relevant to marketing but 1 is foundation

5. Principle 1
Personal data shall be processed fairly
and lawfully and, in particular, shall
not be processed unless-
(a) At least one of the conditions in
Schedule 2 is met, and
(b) In the case of sensitive personal data,
at least one of the conditions in
Schedule 3 is also met

6. Collecting and using data for
marketing
• Processing – doing anything with data
• Collecting and using data for marketing
is processing
• Need grounds to process
• Marketing – consent
• Problem with consent – it can be
withdrawn
• If withdrawn then you can not process
the data for marketing

7. Marketing data
Many ways to acquire personal data for
marketing purposes
– Direct from consumer
– Bought in/rented lists
– Survey sponsorship

8. Marketing rules
General rules – B2C
• Direct Mail – opt-out
• Telephone – opt-out
• Email – opt-in
• SMS – opt-in
• Fax – opt-in

9. Email/SMS marketing
Soft opt-in/existing customer exemption
• Exemption applies if all the conditions apply
• 1) Email or mobile number was acquired in the
course of a sale or negotiations for goods or
services
• 2) Unsubscribe from marketing offered at time
of collecting data and on all subsequent
messages
• 3) Marketing must be only about similar goods
and services
• 4) Identity of sender is not disguised

10. Charitable donations
• Do not come within the definition of the
exemption so opt-in for email and SMS
• ICO confirms view in guidance:
We are a charity, political party, or not-for
profit organisation; can we take advantage
of ‘soft opt-in‘?
Only if you are promoting commercial goods and
services, for example, those offered by your
trading arm.
ICO guidance on electronic marketing

11. So what to do?
• ICO recognise the difficulty this causes.
• Argue that organisations should seek
“solicited” communications, ie get
people to actively agree to being
contacted – permission based
marketing
• Send messages to people who actually
want to hear from you

12. Permission based marketing
• Don’t see it as the enemy
– Comply with legal requirements
– Good data management
– Increase customer confidence and
therefore the bottom line

13. Legal requirements
• Data Protection Act - 8 principles
• Marketing opt-ins/outs

14. Good data management
• Makes good business sense – data is
an asset and can give a competitive
edge
• Data quality is vital to the success of
any business
• Affects reputation and brand

15. Consumer confidence
• Consumers - more aware value of data
• Will affect whom consumers do
business with

16. How can we achieve this?
• New customers
– easiest as can show benefits
– over telephone or on a website sell
the benefits of agreeing to be
contacted
– Privacy policy

17. How can we achieve this?
• Existing customers
– more difficult – should have got opt-in when
first joined
– Database update – service message
• Duty to keep information held accurate and up to
date
• Confirm marketing preferences
• Incentive - prize draw
– Instil confidence in your customers that you
respect their data and protect it

18. Telemarketing
• Legal requirements for B2C
• In-house suppression file
• TPS screening for all new numbers
acquired if applicable
• TPS screening if buy in/rent third party
opt-ins where organisation was not a
named third party

19. The future
1995 European Directive ( implemented into UK
by 1998 Data Protection Act ) showing its
age due to:
1) Law doesn’t take account of new
technologies – and more complex
information networks
2) Lack of common European law and
differences in national implementation
impedes marketing
3) Consumer concern over privacy – high profile
data security breaches, etc. leading to
reducing permission to market

20. Data Protection Regulation - Key
issues
• Opt-in and opt–out - obtaining consent
• General rule for direct marketing –
“explicit consent by clear statement or
affirmative action”
• Legacy databases – what about data
collected under current law?
• At odds with existing rules on voice
calls, email and SMS marketing

21. Data Protection Regulation - Key
issues
• IP addresses and cookies
– Definition of personal data extended so
could cover some IP addresses and
cookies
– But IP addresses identify a device not an
individual + some IPs are general
• Right to be forgotten
– Right for individuals to request
organisations to delete any information held
on them
– Drafted with social media in mind – but
goes beyond this

22. Data Protection Regulation - Key
issues
• Data breach notification
– Every organisation that suffers a data
security breach would have to notify
Information Commissioner’s Office and the
individuals concerned within 24 hours
– Increase in fines/sanctions – in stages, of
up to 2% of global turnover or 1 million
euros
• Marketing to children
– General rule – parental consent required for
under 18’s
– Exception for online marketing to children
above age of 13

23. What the DMA are doing
• Federation of European Direct and Interactive
Marketing Associations (FEDMA) in Brussels
leading collective EU dm effort – UK DMA chairs
Legal Affairs Committee
• Lobbied Commission intensively after unofficial
draft leaked in Dec 2011 – with some success
• Responded to Ministry of Justice’s Calls For
Evidence in 2010 and 2012, with input from DMA
members.
• Responded to Commons Justice Select Committee
inquiry – Select Committee now holding hearings

24. What the DMA are doing
• Now lobbying UK Government and European
institutions as the proposal goes through the
European legislative process
• Leading UK Data Industry Group response to
the proposed legislation & participating in CBI
Group on Data
• Key research on consumer attitudes to
privacy, Data Privacy: What the Consumer
Really Thinks and on the economic value of
the dm industry, Putting a Price on Direct
Marketing

25. Summary
• Data protection rules not there to hinder
you or stop you running your business
• Use them to build confidence in your
organisation
• Start the dialogue with those who want
to hear
• Involves everyone in the organisation
• Join the DMA and help shape the future

26. Thank you for listening
Janine Paterson
DMA Solicitor
E: janine.paterson@dma.org.uk
T: 020 7291 3356