The need to ensure that any personal data used (e.g. name and address details are:
a) accurate and up to date [ principle 4] [old/inaccurate data is a key problem in this sector]
b] only being used for the purpose for which they were captured [principle 2] [failure to properly permission data, e.g. to provide a clear opt-out for direct marketing by mail, is a common problem, especially when the data is to be used by third parties for marketing purposes}
c) not used for marketing if the data subject has requested that it is not used in this fashion (see section 11) ( see also the MPS – Mailing Preference Service. Use of this is not strictly a legal but it is now effectively a requirement as it demonstrates a data subject’s request not to have their personal data processed for the purpose of direct marketing by mail.
d) kept secure, so protected against unauthorised or unlawful access, use loss, destruction or damage.
e) not being processed (e.g. held on a server) outside the EEA unless adequate protections are in place ( principle 8)
In addition, data subject’s rights must be respected, such as the right to make a subject access request (see section 7) (see ICO website for code of practice on these: http/www.ico.org.uk/for organisations/data_protection/-media/documents/library/Data_Protection/Detailed_specialist_guides/subject-access-code-of-practice.PDF)
If sensitive personal data is being used, e.g. data relating to the data subject’s health and well being or trade union membership, this must be subject to a higher level of protection to reflect its sensitive nature. Direct marketers using direct mail as a channel may be the recipients of a momentary penalty notice levied by the ICO (Information Commissioner’s Office) should they commit a breach of the Data Protection Act 1998.
The maximum fine is £500,000 – but actual amounts depend on a variety of factors, including the potential risk to the data subjects, the severity of the risk, the number of potentially affected data subjects, and the amount the organization responsible can afford to pay without being put out of business.
The fine will be levied on the data controller rather than the data processor. If the direct mailer is the data processor rather than the data controller this does not mean that they are not at risk, however, if they are responsible for the breach of the Data Protection Act 1998. Normally there will be an agreement in place with the data controller that makes the data processor liable for any such fines that are levied as a result of in/action on the part of the data processor.
As you see, even from such a potted statement, this is an area that contains pitfalls and may be worthy of care, further study or advice. Be aware, though, that an awful lot of direct mail happens without any problems with the law.
Reference: Direct marketing in a Week: Patrick Forsyth