You might think that any charges brought by the ICO against a large companies would be rather too esoteric for an email marketing company. After all, it must be a technical infringement. However, it would seem that they, like us, make basic errors.
A study of the ICO’s actions shows that even institutions such as large police forces can be inexcusably slack. What is quite shocking is that the fault tends to lay in the basics. Historically, these are the ones that bite the hardest when you ignore them.
Any study of the case files of the ICO will show that errors are often made by staff who have no understanding of the data protection legislation. You can’t blame them and, quite clearly, the fault lies with the company.
The cases show what we should be doing to secure data from our email marketing lists.
1/ Everyone in your company who has access to personal data, even if they have no function which includes sharing it, should undergo data protection training.
You might think that it should be obvious what those with email marketing data on their screens should not do. However, it seems it often is not. Have a basic level of training that all staff have to experience, regardless of how much access they have to data.
As staff responsibilities increase, so should the information they receive.
2/ Ensure everyone has refresher training. The legislation changes with unceasing regularity and merely making it available to staff is not enough. Further, reinforcement is essential to keep it fresh in their minds.
3/ Check so see that the training is effective and up to date. If a member of staff makes an error, find out why. If it is a failure of knowledge or processes, then you must take steps to ensure all staff are aware.
4/ Have a plan B
If it goes wrong you must be able to manage the error and limit damage.
5/ Record everything you do with regards training of staff. If someone does make an error and the ICO takes an interest, they will assess your training systems. If they are lax, this could increase the penalty.