Data Protection and Marketing

Data protection is one of the fastest growing areas of law in the UK and elsewhere in Europe. It is also, perhaps as a consequence of this, frequently breached.

One of the reasons for the recent growth in domestic and European legislation is that the law regulating to data protection is directly linked to advances in technology. As the ways increase in which personal data may be stored, manipulated and disseminated, so too must the laws regulating such use and dissemination be refined.

The Data Protection Act 1998 (which came into force on 1st March 2000) is the primary piece of domestic legislation in this area. It has since been ‘enhanced’ by a number of European directives, notably the Directive on Data Protection in the Electronic Communications Sector (2002/58/EC). This regulates the way in which data may be collected and used through the Internet and by e-mail.

Most individuals and businesses come into contact with data protection regulation through marketing activities, but may have no idea that they are stepping into a regulated area. A typical example is a company purchasing a customer list, either from a market research company or from a competitor (a company might, similarly, inherit such a list as a consequence of a takeover or group restructure).

Does simply controlling a customer list authorise a company to send product information to the listed names? By what means may such information be sent? What about information on unrelated products? Is the company free to sell a customer list?

These are considerations to which all modern businesses must be alive. Personal data is almost always protected by law, and by using (‘processing’) such data in any way, the holder (the ‘information controller’) usually undertakes an activity regulated by statute.

So what can a business do about this? How can it effectively market its services, by using personal data, whilst still remaining within the law? How can it be confident that information, which it collects on customers and competitors, may be used effectively to develop future business?

There are no simple answers, since the steps which must be taken are determined by the nature of the proposed use of the data. The solution may be to obtain the data subject’s consent to use personal information, to take advantage of legal exemptions or to obtain guidance from the Office of the Information Commissioner, the body responsible for enforcement, in England and Wales, of the Data Protection Act.

Whilst compliance with data protection laws may sometimes seem to be an unnecessary burden, it must not be forgotten that effective (and legal) use of personal data may be extremely valuable to a company or business.

A good and current understanding of the regulations is essential.