Email and the Law

Understanding data protection laws

One of the most significant restrictions on bulk email marketing is legislation. One of the most significant problems is that the words that are used are open to interpretation.

The Data Protection Act (DPA) tells us that we must not keep personal data any longer than is necessary for the purposes for which it was originally collected and that we should delete data once it is no longer necessary. What it does not tell us is what is meant by delete.

Bulk email marketing depends on IT systems and as most people know, clicking on the delete button does not remove the data from systems. You may have no intention of using the data again but it remains in your records until such time as it is overwritten. 

In guidance issued in August, The Information Commissioner’s Office (ICO) tells us that in such cases data compliance issues are no longer applicable.

Similarly, if the personal information cannot be deleted because it is intertwined with other data that we need to retain then the ICO comes to the rescue by telling us that in this and similar cases, the data is considered to be ‘beyond use’ if the data controller holding the data:

Is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way.

Does not give any other organisation access to the personal data

Surrounds the personal data with appropriate technical and organisational security

Commits to permanent deletion of the information if, or when, this becomes possible

In essence this gives us three levels of deletion: material that has been irretrievably removed from all systems, that which has been archived and that which has been put beyond use.

All this is very useful for those working in email marketing. Nothing has changed with regards archived material. The person whose details are on these records still has all the normal access rights. However, the ICO assures us that they will take no action in the case of data put ‘beyond use.’



30 days full functionality - No credit card required - INSTANT ACCESS