We have all heard of the Data Protection Act. It’s at the tip of your tongue when dealing with cold callers and email spammers, but do you really know what it means and how it affects your organisation?
I recently experienced a major learning curve when putting together a data protection policy for the Institute of Chartered Foresters (ICF), where I hold the position of Marketing & Communications Officer. If you’re thinking of getting started with data protection, here are my top tips.
1. Get to know ICO’s 8 Principles
The Data Protection Act (DPA) is the law that protects personal data stored on computers or in paper files. The UK has seen a number of EU directives that have required amendments to the Act, to keep us in line with an EU-wide policy. As long as we remain part of the EU, the UK can expect further regulations coming down the track that will extend a blanket EU policy.
The Information Commissioner’s Office (ICO) is an independent body that has the power to enforce the DPA. They are very active dealing with data protection complaints, but only in rare cases do these result in fines. That’s not to say you want the ICO knocking on your door under any circumstances – just think about how it would look for a professional body to be in breach of data protection legislation.
If a complaint was raised against your organisation, the ICO would examine how you have adhered to its 8 Principles of the DPA. These principles inform how you should be managing, updating and storing your data and it’s a great place to start in shaping your data protection policy.
2. Establish Roles
Most professional body staff will identify with that awkward moment when a regional group, board member or volunteer calls and asks you to send them a member’s personal information. Names and email address are not really personal data right? Wrong. Part of DPA compliance is learning to say no to such requests, and a strong data protection policy will equip all staff with the background knowledge to deal with this.
Establishing data handling roles in the team is vital. The DPA tells us that we must have a Data Controller – one person in the organisation that takes overall responsibility for the data. Likelihood is that this will be your membership manager or a senior director. Other staff who access and use personal data can be assigned roles like ‘Data Processor’. Being clear about who can and can’t access personal data is vital for its security.
3. Never Export Personal Data
This leads my nicely on to my next tip – sort out your system integrations and never export personal data. Never is a strong word, but I think it’s safe to say that you should think very carefully before exporting any personal data from your database. One of the first thing I did when joining ICF was to integrate the membership database with our email marketing software and the members’ list on the website, to avoid handling mailing lists and compromising data security. Most modern CRMs are fully equipped to deal with email marketing, so there are no excuses.
4. Time for a Spring Clean!
When was the last time you cleaned your database? ICO is hot on the relevancy of the data you hold, to ensure that you are not sending unwanted marketing communications. If you are hoarding non-member contacts on your database that have been there for 10 years and you don’t know how they got there, it is likely you are in breach of legal guidelines. ICF cleans its data annually, removing any inactive non-members.
5. Phone a Friend
Getting started on a data protection policy for ICF was by no means a quick task but it has been hugely beneficial to the organisation, helping both staff and members to understand why we make certain decisions in relation to data management and marketing communications. The best thing I did when starting out with this document was to make a few calls to other professional bodies and ask how they handle the various issues involved. There’s no one-size-fits-all approach but you will find that other professional bodies have faced similar issues.
I quickly realised that ICF’s policy will never be a finished piece of work – as our IT systems and staff and indeed the EU legislation evolves, further drafts will undoubtedly be forthcoming. However there’s still no time like present. The sooner you have a data protection policy in place, the sooner you can confidently get on with the real work of recruiting members.
Julie Adamson is Marketing and Communications Officer at the Institute of Chartered Foresters. She has a background both in digital marketing and the third sector, having worked in fundraising, communications and marketing roles both in Dublin and Edinburgh. Julie has a Masters in Marketing from Edinburgh Napier University. Connect with Julie on Twitter @juliet_adamson