Category Archives: Data Management

EU Draft Data Protection Regulation – Data Breach Notification

Anyone who is in the business of processing personal data will be aware of the proposed new EU Data Protection Regulation. It’s a pretty hot topic right now (as I’m sure you’d agree) as it represents the most significant global development in data protection law since the EU Data Protection Directive that was agreed over 17 years ago. This was clearly way before smartphones were in everyone’s pockets and internet access was in every household, so no one would deny the fact that in this age of mass information sharing, this piece of legislation is in need of some revision.

However, a common view amongst marketers and data owners is that the current draft of the Regulation doesn’t strike the right balance between a) protecting an individual’s right to data privacy, and b) allowing businesses to engage with consumers, using the data they have access to, to deliver really relevant content.

As part of the proposed new Regulation, the European Commission is widening the scope of data protection laws to include a requirement that any business that stores personal data will have to disclose the details of any data security breaches.

So what does this mean and how do data security breaches occur? They can happen in a vast majority of ways, which can include:
• Lost or stolen laptops, removable storage devices (USB sticks etc.) or paper records containing personal information
• Hard disk drives being disposed of or returned without the information being correctly erased
• Hacking
• Staff members accessing or disclosing personal information illicitly
• Unsecured recycling of confidential waste
• Sending sensitive information digitally without encrypting it properly first

According to the Information Commissioner’s Office (ICO) the definition of a personal data security breach is “a breach of security leading the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Under the draft Regulation, it’s proposed that any organisation that processes personal data will be required to inform the ICO if a personal data security breach occurs.

So what does this mean for us as Email Marketers?

Essentially it gives the consumer much more information and ultimately control. Yes, this is great for our customers, but not so wonderful for us as many organisations (especially those of us in the email industry who handle a large amount of data for our clients) have expressed concern about potential ‘over-disclosure’ opportunities that could arise thanks to the requirement to provide the necessary information within 24 hours of a data security breach, as envisaged in the draft Regulation. It could potentially force organisations to reveal more information than they need to (such as notifying every individual who might have been affected by the breach rather than those who definitely were). This concern is backed up by recent research from LogRhythm who found that 87% of UK businesses have admitted that they wouldn’t be able to identify individuals affected by a breach within this timeframe.

Another concern amongst email marketers is that this requirement to notify a data security breach within 24 hours doesn’t just apply to organisations based within the EU, but it includes those doing business in it, making the draft Regulation the first de facto global data breach law.

Finally, it could lead to ‘notification fatigue’. With the requirement for each and every breach to be notified, regardless of the severity, consumers could be inundated with breach notifications, which could lead to consumers tuning out.

The good news is that it could take another 3-4 years before the changes come into play, however many of our peers are expressing concern over the negative impact the new Regulation could have on email and direct marketing. The DMA (UK), with FEDMA, is lobbying the EU institutions in Brussels ,the Ministry of Justice and the Department of Culture Media and Sport here in London to try and achieve an outcome that is more business-friendly. We would like to see the requirement to notify regulators and individuals of a data security breach restricted to serious breaches and the 24 hour time limit to notify a breach to be extended. Whatever the outcome is, positive or otherwise, you can bet your bottom dollar that the data security breach notification requirement will remain in the Regulation in some form or other. Therefore, it’s absolutely imperative that you put in place or review clear and well-understood data security breach notification procedures.


EU Data Protection Regulation – Subject Access Request

A lot has changed in the world since the EU Data Protection Directive was first introduced in 1995. The internet was just beginning and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is being updated to meet the challenges of how global business is conducted in the 21st century.

The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a “subject access request” any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to £10 when supplying individuals with a copy of their personal data. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests.

Under the new proposed EU Data Protection Regulation, organisations would have to supply this information free of charge.

In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through additional manpower costs alone. If the ability to charge for a request is removed then this figure could increase massively and put a huge financial burden on UK companies.

If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required.

Some organisations hold a vast amount of personal data in many different formats and in many locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, such as emails, with no indexing and try to identify what data refers to the individual and therefore falls within the definition of personal data. Consider an organisations’ email records. One person might be referenced in these emails by many different names. Not only that but these emails also might refer to other records stored in other formats i.e. paper files.

On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which when received by the data subject may be then transferred back into electronic format.

One of the aims of the changes in the draft Regulation is to put all EU countries on a consistent footing, but removing the charge for a subject access request surely cannot be good for anyone.

EU Draft Data Protection Regulation – Data Portability

The next topic in the blog series on the new proposed EU data legislation looks at the area of ‘Data Portability’. Firstly let me clarify what that phrase means. The DataPortability Working Group defines it as “the option to share or move your personal data between trusted applications and vendors” – it’s really about the ability for people to be able to control their identity, media and other forms of personal data. You want to leave Facebook and use Google + but what about all those photos, the places that you checked in, data portability means there should be an easy way to move all this data.

As we increasingly put more of our lives online, we are putting that data at risk. After all who knows if those companies will be around in 5, 20 or 50 years and so it is possible that chunks of your online self could disappear, or the converse when those photos of your 21st birthday remain in a system you haven’t used in 15 years, which is where data portability’s legislative cousin ‘right to be forgotten’ comes into play.

I have a fundamental belief in privacy and transparency around personal data use and will always support the rights of the consumer to control their own data. It is your data, your persona, the challenge is to balance those noble principles with legislation that does not create a legal and regulatory environment that stifles the next Facebook or Flickr, by introducing solutions to problems that market ingenuity would be better placed to develop.

With my commercial practitioner’s hat on, there seems to be two main areas where I believe that the draft Data Protectuion Regulation needs to be more carefully understood.

The first of is the cost to business. A case study in the DMA’s Response to Ministry of Justice Call for Evidence on the EU Data Protection Regulation, (link here) , shows that for a data services provider to the retail sector the costs to implement data portability and right to be forgotten could be up to £100,000 for one off system development. In an already fragile economic climate is this additional burden really needed or helpful?

The second area is in the draft Regulation’s desire to try and set technical standards that would underpin the interoperability of systems. FEDMA (Federation of European Direct and Interactive Marketing Associations) believes that Article 12 (b) of the existing European Data Protection Directive (95/46/EC)) already covers this area in a technology neutral manner. Again, do we need more rigid legislation? After all it may be a surprise to some that since 2010 you can take all your data from Facebook using the ‘download your information’ function under account settings.Is it not in the commercial interests of other social network service providers to be able to make it as easy as possible for people to join their service and take in the data downloaded from Facebook? And to do that in innovative ways legislation would never be able to dictate?

The consumers’ right to control their personal data is already enshrined in the existing Data Protection Directive so the question to me is do we need to augment this with a more prescriptive approach? This Regulation could shape our industry for the next decade and so this is your opportunity to get across your perspective and be a part of the debate. I would encourage you all to comment here or reach out to an Email Marketing Council member or the DMA Legal Team,

EU Data Protection International Transfer of Data

The development of technology has enabled businesses to act globally and be less limited by geographical boundaries. From our sofas we can shop online from almost any country in the world, companies can achieve a market presence in a country without having a single employee there; and in the world of iCloud and Dropbox we can access our files wherever we are, yet have no idea where they are actually stored.

So, as digital “borders” blur, how is the EU Data Protection Legislation evolving and what are the implications for marketers?

Let’s look firstly at the existing legislation. The existing UK 1998 Data Protection Act says that “Personal data shall not be transferred to a country or territory outside the European Economic Area (the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Of course that’s not quite the whole story. You still have to adhere to other principles of the Act, informing individuals that their data is being transferred, and ensuring that you do it with the right security. Also, in the UK our current legislation allows a data controller to transfer data outside the EEA based on their own assessment of adequacy of protection – and this difference highlights another key challenge – that there are differences in national implementation of the 1995 European Data Protection Directive across the EU. Complaints have also been voiced about the complexity of the 1995 Directive regarding data transfer.

Those hoping for some advancement with the new European Draft Data Protection Regulation are, however, likely to be rather disappointed.

While some of the rules on transferring personal information to countries outside the EEA have been made more business-friendly the Draft Regulation arguably also takes a step backwards, and raises many more questions.

One of the proposed key changes is that the laws of the country where the data is held become less important than the question of whose data it is. So, for an EU Citizen, no matter where their data is processed, the law that would apply under the Draft Regulation is EU law. It’s nice to feel protected, but one wonders just how practical it will be to enforce implementation of this globally. How will organisations around the world even be able to identify that they are dealing with EU Citizens? In a digital world, nationality is not always obvious, and even if it were, why should organisations really care about laws in another country?

The differences in interpretation of the 1995 Directive between Member States were one of the key catalysts for the revision of the legislative framework. And, indeed, one of the key provisions of the Draft Regulation is for there to be co-operation between the national data protection authorities in the Member States to ensure consistency in the way the Regulation will be enforced. But in the revision, there has been an element of prescriptiveness which is actually more limiting for UK organisations than the current data protection laws – for instance, the Draft Regulation now removes the ability of an organisation to make their own risk assessment on data transfers to countries outside the EEA. Instead it reinforces the need to adhere to sanctioned processes and the Draft Regulation’s own definition of adequacy.

And this is one of the key areas that the ICO felt was not going in the right direction. The ICO have doubts about the way the Draft Regulation bases “adequacy” on the nature of the law in a particular country. It feels that “adequacy should be assessed more in relation to the specific circumstances of the transfer and less on the adequacy or otherwise of the law of the country the recipient is established in.” So, in other words, if I am transferring data to a reputable global firm in a country whose national data protection legislation is not adequate, why would that really be a problem?

Aside from the general concerns about the practicality of many of the proposed changes, the question of adequacy seems to be the hottest topic to debate. This is one of the aspects of the Draft Regulation that the ICO believes most needs to be amended to deal more realistically with current and future international data-flows. It (and we) believe that a future data protection framework should focus much more on risk assessment by the exporting data controller and that it should be clearer about data controllers’ responsibility, wherever they choose to process personal data.

EU Data Protection Regulation – The Right to be Forgotten

Continuing with our series of posts reviewing the potential effects of the proposed EU Data Protection Regulation, one of the areas it addresses is an individual’s “right to be forgotten” by a business.  The specific wording is as follows:

“The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data”

This has clearly been written with Social Media in mind, for example, ensuring that Facebook users are able to completely delete their profiles if they so wish.  However, the effect on email marketers and direct marketers in general could be disastrous.  If somebody unsubscribes, or asks to no longer receive an advertiser’s communications, then clearly that individual’s details need to be held by the organisation in order to suppress them from future comms.  Forgetting them completely, i.e. erasing all their data could have the polar opposite effect from that which the consumer is expecting!  A individuals details need to be held in order for the organisation to “remember to forget”.  Also, industry suppression files, which are there to benefit consumers, could be put at risk by the Regulation.

The problems do not end there.  There would also be an issue with information that has already been passed on to third parties, e.g. via list brokers or through partnerships.  Also, consumers risk being mis-led.  For example, some data in financial services has to be kept for a specific period of time in order to meet with legal and FSA regulations.

In summary, not only does this section of the Regulation risk failing to achieve what it sets out to do, it could also damage consumer trust and increase the complexity and volume of data processing which needlessly increases the financial burden on companies.

Email marketing….because I’m worth it!

Like many of you, I recently received an email from the DMA entitled “Find out what you’re worth”. I opened the email immediately hoping for some long awaited confirmation that I am in fact worth my weight in gold or perhaps to discover that I am being hopelessly underpaid for my job but instead I was confronted with some unexpected results from a recent DMA study relating to the value of direct marketing. The study revealed that the direct marketing industry in the UK is now responsible for 23% of all UK Sales.

Forget what I’m worth – ‘23% of all UK sales’ is a phenomenal amount! For the Travel and Retail industries the figures are higher still, where 30%+ of sales are driven by direct marketing. This reminded me of a recent comment made by the Head of Email Marketing at a major UK travel company who explained to me the enormous battle he had fought within his organisation just to get an email sign-up form included on their website homepage. With rates of success from Direct Marketing so high, it seems strange that a vital tool, such as a homepage email sign-up form would be such a struggle to implement.

You’ll be relieved to hear that the sign up form is now in pride of place on this particular company’s homepage. However, with the kind of results that the recent DMA study has highlighted, it is disappointing to hear how these types of discussions and internal hindrance still take place. As a business, your email database is one of your most valuable assets. It astonishes me that many businesses still don’t understand the value of their database and in fact the individual value of every person on that database. This brings us back to the DMA’s compelling ‘Find out what you’re worth’ subject line that caught my eye.

Earlier this year I tried the ‘What am I worth’ app, which helps consumers to calculate how much they are worth to businesses based on their online behaviour and consumer preferences. It’s a fun idea, but actually the basic idea that a single ‘consumer’ can be given this type of potential value is critical, and every business should focus on being able to attribute a specific value for their business in adding a customer to their database. (According to the app I am “worth” £525 if you are interested!)

It is really only when you know the value of your database that you can set meaningful targets for database growth and measure return on your efforts/spend to grow it. And of course it’s also helpful if you are trying to persuade your bosses to help you grow it, and to communicate that an email sign-up on the homepage of your website is a key asset not a wasted space.

As well as your website, here are some other suggestions on other ways that you can grow your email database:

  • Everyday email – don’t waste easy opportunities!
  • Your company employees each send out around 15,000 normal outlook emails a year to customers and potential customers in the course of their normal work. Adding a newsletter sign-up button to your email signatures will encourage the clients interacting with you to subscribe to your database. Don’t underestimate how much this can contribute- we’ve seen conversion rates of up to 40% with some of our clients.

  • • Use your social media communities
  • Have you integrated your newsletter sign-up with your Facebook page? Are you promoting your sign-ups on Twitter? Also are you using the tools within your email marketing tool to distribute your newsletters via twitter and Facebook directly to your followers and fans. We recommend taking an integrated approach across all your channels.

  • • Search
  • It was also interesting to see, at the end of last year, that Google started testing a new form of Google Adwords with Honda. I believe this is still in testing but the new format included a direct email subscription option, which allows companies to capture an email address opt-in via search, without the new subscriber having to visit the corporate website (and, by the way, the sign-up is pre-populated for logged in gmail users). This type of ‘search and sign-up’ technique will ultimately allow companies to grow ‘targeted’ quality databases through their paid for adverts.

    In conclusion, it is great news that so much value has been attributed to the role of direct marketing in driving sales across all industries, but for Email Marketers the challenge is often convincing the rest of the business of their true worth. It’s clear that we still have some way to go in joining the dots between the value of the sales and the value of the database that drove those sales. Because we Email Marketers know we’re worth it!

    Disposable email addresses in your subscriber lists

    Disposable email addresses, sometimes referred to as anti-spam addresses, are email addresses that people use for a period of time and then disappear causing emails sent to that address to either bounce or get automatically filtered to the trash. No email address lasts forever but these types of addresses can have very short life spans. They can be categorised into two types. Those that exist permanently until the recipient removes them, which we will call semi-disposable, and those that exist for a short pre-defined period of time or for a set number of messages before disappearing. A semi-disposable email address is in effect an email alias. For example I have the email address shill@ but also the alias sh@. At any time I can remove the alias sh@ and the emails will start to bounce without it affecting my main email address. Many disposable email addresses are unrelated in any way to your main email address as they use a third-party email service and forward replies to your main account until the address expires.

    Disposable email address services

    Most ISP’s will allow you to create semi-disposable email addresses. Yahoo! Mail call the service AddressGuard. Gmail and Hotmail allow you to set up alias addresses so the new address gets delivered as normal to your main account.

    Some ISP’s including Gmail and Hotmail also allow you to append a tag to your email address to create a new address. For example, if your address is, then you could also use or and they would both get delivered to your inbox. You can have any text after the “+” symbol to create an infinite number of possible email addresses.

    The downside of using a tag to create a disposable address is that there is no way to remove the address should it start to get spammed. It will always be valid and if you no longer want to receive anything from the address you will need to setup filters to send it to your trash.  The advantage of an alias is that they can easily be deleted and the address becomes invalid and will then bounce.

    If you want to create true disposable email addresses then there are many free services available such as SpamGourmet, TrashMail or Guerrilamail. Some give you the option of setting the number of messages your temporary address will receive before consuming or bouncing messages, others allow you to set a life span for the address. Some give you the option to do both.

    Why do disposable email addresses exist ?

    Disposable email addresses have been around for a few years now. People are very protective about their email address and are very aware that the more they give out their email address the more likely they are to receive unwanted emails and spam.  The idea is that you only give your real email address to friends,colleagues and trusted sites. For everything else you use disposable or semi-disposable email addresses.  You can give a different email address to every website or company that requests an email address. If you start to receive spam you not only know who shared your details but you can also simple remove the address and the spam will get consumed by the disposable address service.

    How does this affect your subscriber lists ?

    Semi-disposable email addresses or aliases are a standard part of email and shouldn’t really cause a problem within your subscriber list. If you’re sending relevant content at a good frequency to these addresses then the recipients will be less likely to remove the alias. Basic list maintenance such as removing your hard bounces in a timely manner will ensure that any addresses that are no longer valid will be removed from your list and not affect your reputation.

    Disposable email addresses can cause more of an issue if they exist in large numbers in your lists. They can cause damage to your IP reputation and waste resources.  ISP’s use engagement as a measure for deliverability. If you send to disposable email addresses that aren’t being used then the emails will likely get consumed (deleted) by the service and your level of engagement will be lower. Some disposable address services bounce emails when they are no longer used and these should be removed in the normal way.

    The best solution is to stop people subscribing to your lists with disposable addresses. When requesting an email address if you tell people exactly what you need the email address for and what you are going to use if for then you are more likely to get the “real” address you are after. As a second line of defence there are services such as that allow you to check for disposable addresses when the address is submitted and reject them.

    It’s all about trust. If the user trusts that their email address won’t be abused then they are more likely to give you their real email address and not use a disposable address.