Login
Username
Password
 
» lost password
Add your profile
 
Subscribe
 
» preview

» About us
» Advertising
» Membership
» Email marketing
» Testimonials
» Contact
» FAQs
» Feedback

Search [how to publish your news]

our news archive of thousands of articles published by our editorial team and our users

Category     Keywords    
How safe is your data?
If you use email marketing, have you looked at the risks associated with uploading and hosting data on third party servers?


Over the past few years, Government Departments and commercial organisations have increasingly used email to inform and engage their customers, partners and subscribers with a range of communications from Direct Response to newsletters and trigger mails. Much has been written about the benefits of this technology.

Email marketing is one of the most powerful and widely used mediums, as it brings speed, control and response metrics not available in many other channels. Organisations more often than not use Email Service Providers (ESPs) to broadcast their email and report on the metrics (opens, clicks, bounces, unsubscribes etc).

As well as providing the email broadcast technology, ESPs need to 'host' the data associated with mailing. This is always an email address, but can also include name, company and other personal data like usernane and password. Indeed any data that's included in the email or on a subscribe form the ESP hosts.

However, with this increase in activity there comes an increase in risk.

Many ESPs now operate on a geographically wide and even global scale. Many provide easy sign ups and trial periods, hoping to attract longer term customers. But in all this activity, where your data is being hosted often gets overlooked.

If you use an ESP, have you asked where the data is actually hosted?

Although there are some significant ESPs in the UK, many of these are based on technology hosted overseas. Some of the biggest and best ESPs are not domiciled in the UK at all.

Using these companies to send your emails and host your data has increased risk because of the difference in legal boundaries.

Overview
The UK has some of the tightest data protection laws in the world, with the Data Protection Act 1998 (“Act”) setting out numerous obligations and restrictions on ‘data controllers’ (i.e. those who determine the purpose and method of processing others’ personal data), and granting various rights to those whose data is being held.

Data controllers are required to register themselves with and notify the Information Commissioner of various information including a description of the personal data to be processed (i.e. stored and used) on behalf of the data controller (by the data processor), the reasons the data controller is processing the data, who the data controller intends to disclose the information to and whether the data controller intends to transfer any of the data outside the European Economic Area. Data controllers are also required to comply with 8 “Data Protection Principles” set out in the Act, which include provisions for the safe and lawful processing of data and the restriction to only obtain data for specified purposes.

Individuals whose data is being collected have numerous rights including the right of access to personal data and the right to compensation for damage and distress suffered if the data controller fails to comply with the Act.

All data controllers are required to comply with the strict requirements set out in the Act, although there are a number of exemptions for certain aspects. For example, data controllers may share personal data with third parties where the individual has expressly consented to this specific sharing.

Data processing abroad
The prohibition relating to the sharing of personal data does not extend to the situation where a data controller requests the actual processing of the data (which includes obtaining, recording or even simply holding the information) to be carried out by a foreign company. Indeed, many companies in the UK request data to be processed in, for example, the USA or Australia in order to save costs. In such a situation, whilst the data controller does not itself handle the information, the data controller remains responsible for the processing and liable for the data.

The Act imposes additional restrictions on data controllers wanting to outsource the processing of personal data in this way, including an obligation to take “appropriate technical and organisational measures” and to check the data processor will carry out the processing safely. The data controller must also enter into a written contract with the data processor, restricting how the data may be used and requiring the company to put safety measures in place.

Processing abroad v. processing at home
There are a number of factors that need to be taken into consideration if data is to be processed abroad. In addition to any increase in costs associated with using an overseas provider, data controllers should be aware of the additional risks that arise which may not necessarily arise if data is processed in the UK.

As data controllers are required to enter into a contract with the data processor, one important consideration is to ensure that the contract will be enforceable in the data processor’s country. This, of course, would not be an issue if the contract were with another UK based company (providing the contract terms were themselves enforceable!).

In addition, whilst the UK data protection legislation may be strict, the same restrictions for data controllers and rights for individuals may not exist in foreign countries (data protection in the USA in particular is discussed briefly below). This means that, whilst you may have a contract in place with the processor governing how the data must be processed and whom it can be disclosed to, there is a risk that the data protection legislation (or lack of such legislation) may actually give the processor freedom to transfer or sell the data to others as a commercial product.

Many companies based in the UK outsource the processing of data to companies based in the USA. What few may realise, however, is that data protection in the USA is not heavily regulated and there is no single law governing the obtaining, holding or use of personal data. Private data may, therefore, be accessed by or sold to third parties in certain situations, with no consideration given to the rights of the individuals identified.

Whilst USA based companies can choose, under the Safe Harbor program, to self-assess their compliance with standards of data protection based on UK and European law (confirming that they have the required “adequate safety measures” in place), there are a limited number of companies that sign up to the program since it is voluntary. This means that often, USA based companies do not have the adequate security measures in place and personal data may be at risk of being released without individuals’ permission.

There may also be other legislation which requires the data processor to release data on request (for example under the USA Patriot Act). In these circumstances, the data controller should ensure that the data processor reports any such requests to the controller and provides sufficient detail about the request to ensure only the required data is released. Of course, monitoring this may can be difficult where the data processor is based in a different country.

Data controllers should, therefore, be careful not to assume that foreign companies are held to the same data protection restrictions as those that apply to UK based companies.

What happens if something goes wrong?
The data controller remains responsible for data even where it is processed by another company. Whilst there will always be an element of risk involved where the data controller is not processing data themselves, the risk will, of course, be much lower where the data is being processed by a company held to tight data protection laws.

Another factor for companies to consider, when deciding where to process their data, is what will happen if the data processor was to go into liquidation. In the UK, given the strict data protection laws and in particular that the data controller remains the owner of the data, the insolvency practitioner is more likely to ensure the data is returned to the data controller. However, in countries where such emphasis is not placed on the protection of personal data, the situation could be different and the data may be sold on to third parties to pay off creditors. Data controllers could, therefore, find themselves facing investigations and punitive fines by the Information Commissioner in the UK, giving such UK based data controllers significant incentive to ensure they have the necessary safeguards in place.

Some things to consider regarding data when thinking about using an ESP:

1. Exactly where will the personal data you upload be hosted?

2. Is the ESP hosting forms to collect subscriber data and if so where will the data be hosted?

3. What legistlation is there that protects you?

4. What are the potential cost implications if legal action is required?

Legal contributions and overview provided by Nisha Baveja at Briffa

 


Bookmark this page
Add to Delicious  Digg this  Add to Facebook
Reddit  Add to StumbleUpon  Tweet this
Date added: Tue 17 Mar 2009
 
Email Marketing
Address   Enewsletters Limited
566 Chiswick High Road
Chiswick
London
W4 5YA
T   0844 445 7765
F  
»   http://www.enewsletter.co.uk
  See more news from Email Marketing
» Email author  » Forward  » Comment/rate  » Print
» See more by Email Marketing, or visit their web site.
This article has an average rating of 3 / 5
» Terms & Conditions » Privacy » Editorial Policy » Sitemap