There are any number of prosecutions for data law infringement, some of which show a cavalier attitude to regulations. When reading the decisions of courts it does seem that the offending company was asking for it. On some others there is the feeling of, ‘It could have been me.’ If you have a healthy email marketing list then you might be wondering if you are doing things right.
The time to discover your error is not when your computers are being searched. A finding of guilt not only hurts with regards the fine, but the adverse publicity will hurt more. On top of that you hurt everyone in email marketing.
What can you do to ensure that your systems comply with the various laws and regulations? One way is to spend time and money on compliance. Specialist lawyers are expensive, but cheaper than the alternative. Another way is to keep up to date with new law and court decisions. Reading blogs such as this helps, or you could subscribe to the ICO, ASA and other such enewsletters.
There is a third way, and one that promises many advantages.
The ICO will check through your systems and procedures to see what you do well and what you do poorly. The aim of these advisory visits, as they are called, is to give practical advice to companies on how to improve their data protection systems. The visit normally takes a day and at the end of it the company will be told what it is doing well, what it is doing poorly.
It starts with the company requestion a visit via the ICO website. They are aimed at small to medium-sized businesses and the aim is to assess how you ensure the security of personal data, your records management of personal data from creation to destruction and how you deal with requests for personal data.
There are constraints attached to these visits. You will be given a written record of the visit and a list of those things that you do well together with those that you do poorly. There is a strong implication that you will modify your systems that have been found wanting.
Failure to accept what the ICO finds, and a refusal to modify your systems in accordance with their report, means that if you are prosecuted at a later date you will have the defence of ‘we did our best’, which seems to have been fairly effective in the past, removed. That you sailed on regardless of the fact that the professionals had told you your systems were wanting might well increase the likelihood of a prosecution as well as making any penalty greater.
On the other hand, you will be secure in the knowledge that your systems are secure, once you’ve complied with any recommendations. Further, I would suggest that if you are found in breach of any regulation, the report of the visit might well be grounds for a warning rather than a prosecution.