This guide aims to give practical advice on how to effectively handle common queries you might receive from consumers, about how your organisation is using their personal data.
Can you remove my details from your database immediately?
This is a straightforward request: confirmation that a consumer’s record has been suppressed is all that’s required. It may be necessary to clarify the difference between suppressing and deleting, explaining that if a record is deleted no record of the complaint will be held. By holding it on a ‘complainer’ suppression file, it will ensure that if it were acquired in future from another source it wouldn’t be used. Current ICO guidelines state organisations should maintain a “suppression list” of people who have opted out.
If a company’s suppression process doesn’t take immediate effect, it’s advisable to offer an estimate of how long it will take (i.e. when will the data cease to be used). This is particularly relevant with organisations who supply/share data with other companies for postal marketing.
In light of the “Right to be Forgotten” ruling, further clarification is being sought on how far this right will extend when the EU Data Protection Regulation is finalised.
Where did you get my personal details?
If access to this information is readily available, this query can be answered fully and quickly. If time is required to establish consumer data sources, best practice is to provide a view on how long it will take. Under industry guidelines, consumer queries should be answered within 20 working days. (A company has 40 working days to respond to a SAR; Subject Access Request). Companies need to be able to fully answer these queries with the source(s) and date(s) data was acquired.
Why are you using my personal details for marketing?
The ICO states organisations need consent to send people marketing or pass their details on. Furthermore, records should be kept to show that consent was ‘knowingly given, clear and specific’. The advice is that opt-in boxes should be used if possible. Looking to the future, this is likely to become mandatory when the EU Data Protection Regulation comes into force. The rules for telemarketing, text and emails are already stricter than for postal marketing, with consent more specifically defined.
As organisations need to be able to prove what someone consented to, and the method / date of consent, it is advisable when a website is updated to retain copies of previous opt-in statements. If data has been bought in from a seller or list broker, there should be evidence that these companies can provide material concerning how/when consent was acquired.
Why have you supplied my details to other companies? Who else have you supplied them to?
Data resellers and list brokers need to not only be able to provide proof of consent for third party usage but should also be in a position to provide a consumer, should they request it, with details of any organisations they have supplied their data to. It is considered best practice to have this information dating back at least 12 months.
Why do you know how old I am? Or why do you think I am over 50?
Age-targeted marketing can raise concerns as to how a company might know a consumer’s age and / or the accuracy of the data held. People can forget they provided their date of birth on websites / forms and worry this information might be used inappropriately. It’s important in these cases to have a good understanding of the DOB data held. Is it Year of Birth only, is it full Date of Birth or has age been assumed or estimated via modelling or profiling? If full date of birth data is held, be mindful that this is not provided to the consumer, unless confident they are definitely who they say they are. This equally applies to all personal identifying data held. If the date of birth is wrong, it could be a simple case of the consumer accidentally providing the wrong year of birth, or that modelling/profiling hasn’t worked in a specific case.
Have you illegally obtained medical details from my doctor/hospital?
Targeted marketing can give rise to instances of consumers becoming distressed, suspecting there is more to the marketing piece than simple coincidence. For example, a consumer has just been diagnosed with breast cancer and receives a mailing from a cancer charity or a relative has been given a terminal diagnosis and then receives a “do you have a funeral plan?” mailing. It’s not uncommon in these cases for people to allege that a company has acquired illegal access to medical records. Sensitive handling of these cases is paramount, along with the ability to explain the privacy issues and strict laws protecting access to medical records. It should be reiterated that these are unfortunate coincidences. It often helps to explain identical marketing was sent to thousands of other consumers, some of whom may have found it helpful rather than insensitive/alarming.
Why have I received a mailing addressed to my 12 year old?
Understandably, parents or carers are anxious if they discover their child’s details are held on a database outside of school or the doctor. It’s rare, but it does happen. In most circumstances there is a logical explanation that will put parents or carers at ease. The child may have completed their details online by mistake, an incorrect year of birth may have been provided making them over 18, or in some cases children have been known to be added in error by adults to the Edited Electoral Roll. Good data compliance will enable consumer services to identify the provenance of the error and prevent the matter escalating into a formal complaint or SAR.
My mother has Alzheimer’s can you remove her from your data base?
Marketing literature can cause anguish and confusion for dementia sufferers or other vulnerable groups. Unfortunately it can prove an arduous task for relatives to try to prevent. These are simply suppression requests, but it can be helpful to ask any data partners to also suppress the record and to inform relatives about the Mailing Preference Service.
My father has died, why is he still receiving marketing literature?
Many people simply throw unwanted marketing literature, whoever it is addressed to, in the bin. For others it is upsetting to receive letters addressed to a loved one who has died. As well as confirming suppression, informing people that they can register their relative’s death with the Mailing Preference Service, which is applied by all reputable UK marketing companies, can offer some assurance.
A further explanation can be provided that marketing companies unfortunately can’t be 100% accurate. In the past organisations had access to the National Register of Deaths for this purpose, but for many years now have needed to rely on industry suppression files of people who’ve died.
Under the DPA, can you provide me with ALL the data you hold on me?
A consumer may demand to know ‘everything’ a company holds on them, but in the first instance this does not have to be treated as a Subject Access Request, unless it is received formally as such in writing. In many cases, asking the consumer what has prompted their query, providing details of where their data was sourced from, perhaps an overview of the data held and confirmation of suppression will suffice. If a formal SAR is submitted in writing then this must be fulfilled within 40 working days.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.