How to ensure your marketing database is legal
- 1 Review what data you collect, and why you need it.
- 2 Ensure that you do not collect any unnecessary personal data; delete any unnecessary information from your records.
- 3 Check whether you need to notify the Information Commissioner about your use of personal data and, if necessary do so.
- 4 Train employees on how data protection principles apply to their work.
- 5 Make breaches of data security policies and misuse of data disciplinary offences.
- 6 Collect information fairly; if in doubt, ask contacts to opt in before adding them to your database.
- 8 Maintain a ‘do not contact’ list of individuals and companies who have opted out; check against this list before adding new contacts to your database.
- 9 Take steps to ensure that you input data accurately.
- 10 If you buy in mailing (or other) lists, ensure that they have been properly screened: for example, checked against the Mailing Preference Service, and that the list broker has obtained the proper opt ins if you want to market to the list electronically.
- 11 Give contacts the right to opt out from further communications whenever you send them mail or electronic communications.
- 12 Protect access to systems and data: for example, through appropriate building security and computer passwords.
- 13 Install appropriate electronic security: for example, a firewall and anti-virus software.
- 14 Restrict access to sensitive information to employees who need it.
- 15 Set up a system for updating your database, including removing information that is no longer needed.
- 16 Dispose of old records (on paper or electronic records) securely.
- 17 Ensure that you back up your database, and that backup copies are kept secure.
- 18 Set up a procedure for responding to subject access requests from individuals who ask to see what information you hold on them.
- 19 Check the legal position before you transfer or sell your database (for example, selling to a third party or transferring to an overseas office).
- notify the Information Commissioner if necessary
- use data only for legitimate business purposes
- ask contacts to opt in to receiving marketing communications
- give contacts the opportunity to opt out from further communications
- protect your database from unauthorised access
- collect information just because you can
- send unsolicited ‘spam’ emails
- sold call individuals or companies who have opted out
- allow employees to share passwords