Data protection: Are accountancy firms breaking the law?

What’s the scope of the Act?

The principles of the Data Protection Act 1998 are relevant to communications for the purposes of direct marketing. In addition to the sale of goods or services, organisations wishing to undertake activity covered by the Act’s definition will need to first gain permission from individuals, be they private clients or contacts. This includes business-related contacts.

Who owns data protection in your firm?

Many firms are too quick to delegate responsibility to the database administrator. Firms must consider data protection when beginning any relationship with a client. Your policies and protocols must be documented and made available to all employees – evidence that you have explained policies to your staff is one of the first things that the data protection commissioner will look for.

Gathering and recording consent

Firms must have a clear plan for obtaining consent from subjects if they do not respond to mailings, or for removing them from the database. Consent is actual evidence of an opt-in, or where the subject has previously given consent and has subsequently been given every opportunity to opt out but has not done so. Even during initial discussions with a potential client (which includes an informal context such as a dinner or an event), fee earners must explain that consent should be sought. This can then be confirmed in a follow-up email or letter.

Do fee earners gather data indiscriminately?

The Act states that the collection of data ‘just in case’ it might be useful in the future is not acceptable. Even gathering business cards at events and adding them to a database for ‘future reference’ is specifically not allowed.

Information must be accurate

Although firms may consider data accuracy at the point of implementing contact management systems, often they do not have a defined set of processes for maintaining it. Indeed, many rely on mailing returns even though research suggests that this is an unreliable method of data maintenance.

Don’t keep data on a system you’re not using

Data cannot be retained for longer than is necessary or reasonable. Regular analysis of data is essential to check when it was last used, and firms must have a strategy for dealing with the rest.

Changes in legislation

The privacy and electronic communication directive (Dec 2003) requires proactive opt-in to electronic communications. Firms must now scan their business databases against telephone preference service, whereby telephone numbers can be registered by the subject to avoid unsolicited calls.

  • Michael Warren is client services director at Shamrock Marketing.

Related reading