About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Thursday, 28 December 2017

Jersey Charity Advice on GDPR and Marketing


Direct marketing



Step 1: Consent



In many cases you must obtain prior 'opt-in' consent to send marketing communications, and it is always good practice to use opt-in boxes when collecting contact details for marketing purposes.
You should tell people what methods of marketing communication you are going to use, eg email, text, phone, automated call, post.
You should ask for consent to pass contact details to third parties for marketing, and name or describe those third parties with enough detail to give people an informed choice over marketing.
You should record when and how you obtained consent, and exactly what it covers to ensure you do not inadvertently contact people against their wishes. You can keep a 'suppression list' of people who don't want to receive marketing.
* Direct marketing checklist, ICO
* Consent, in ICO direct marketing guidance
* The DMA Code, Direct Marketing Association website
* What counts as consent?, in Electronic and telephone marketing, ICO Guide to Privacy and Electronic Communications Regulations

Step 2: Bought-in lists

 

Neither the DPA or PECR ban the use of bought-in marketing lists but you should take steps to ensure the list was compiled fairly and accurately, reflects people's wishes and is reasonably up to date.
You should check when and how consent was obtained, and what it covers to ensure you do not inadvertently contact people against their wishes.
You should always screen bought-in lists against the TPS when making live marketing calls.
You should avoid using bought-in lists for emails, texts or automated calls unless you have proof of 'opt-in' consent within the last six months, which specifically names or describes your business.
You should tell people where you got their details if asked.
* Direct marketing checklist, ICO
* Buying a marketing list, in ICO direct marketing guidance
* The DMA Code, Direct Marketing Association website
* Using marketing lists, ICO Guide to Privacy and Electronic Communications Regulations

Step 3: Telephone marketing

 

You must screen live marketing calls against the TPS. The only exception to this rule is where people have told you that, for the time being, they do not object to receiving such calls.
It is good practice to maintain your own 'do not call' list to screen live marketing calls.
You must obtain prior 'opt-in' consent to make automated marketing calls. There is no exception to this rule.
You must identify your business and provide a valid business address or Freephone number. You can do so in the content of an automated call recording or when asked during a live call.
* Direct marketing checklist, ICO
* Marketing calls, in ICO direct marketing guidance
* The DMA Code, Direct Marketing Association website
* Telephone marketing, ICO Guide to Privacy and Electronic Communications Regulations

Step 4: Electronic marketing

 

You must obtain prior 'opt-in' consent to send electronic marketing messages by email, text, picture or video messaging. The only exception to this rule is where you intend to contact previous customers about similar products or services provided by your business, and they were offered an 'opt-out' when you first collected their contact details.
You must identify your business and provide an easy means to opt-out of receiving further electronic marketing with every message. You should therefore provide a valid email address or short code number for texts (as long as this does not incur premium rate charges). It is good practice to provide a link to your website for further contact details.
It is good practice to maintain your own 'do not contact' list to screen electronic marketing messages.
* Direct marketing checklist, ICO
* Marketing texts and emails, in ICO direct marketing guidance
* The DMA Code, Direct Marketing Association website
* Electronic mail marketing, ICO Guide to Privacy and Electronic Communications Regulations
* Marketing campaigns, in ICO marketing sector guidance

Step 5: Postal marketing

 

Section 11 of the DPA gives individuals the right to issue your business with a written notice that their details should not be used for marketing purposes. Your business must comply with this notice. It is good practice to acknowledge the notice and confirm the marketing will stop.
It is good practice to screen marketing mailings against the Mailing Preference Service (MPS), and you should also maintain your own 'do not contact' list to screen those who have notified you directly that they object to the receipt of marketing mailings.


ABOUT THIS BLOG
This has been drafted following a series of workshops to identify the key issues affecting many Jersey Charities. It is based on work done with Jersey Community Partnership, and feedback from Jersey Child Care Trust, Macmillan and Brighter Futures.

FOR JERSEY CHARITIES
Working with Jersey Community Partnership we are able to provide a collabrative approach and shared cost, greatly reducing the price of compliance and improving the quality and standard of service to Charities.

ABOUT TIM ROGERS
Tim Rogers is a Management Consultant supporting process and business change. He is a specialist in governance, compliance, procedures and risk, providing Tools, Templates, Training, and Technology to help Data Protection, GDPR and Information Security.

Board Awareness | Staff Training | Data Process Mapping | Data Process Impact Assessments | Compliance Audit Privacy Notices | Subject Access Requests | Breach Notifications | Data Controller Agreements | Data Processing Agreements

TimHJRogers@AdaptConsultingGroup.Com +447797762051

Charity advice on GDPR

Top five tips

Here are our top five of data protection tips for small and medium sized charities and third sector organisations:
  1. Tell people what you are doing with their dataPeople should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
  2. Make sure your staff are adequately trained
    New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
  3. Use strong passwordsThere is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
  4. Encrypt all portable devicesMake sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
  5. Only keep people’s information for as long as necessaryMake sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

ABOUT THIS BLOG
This has been drafted following a series of workshops to identify the key issues affecting many Jersey Charities. It is based on work done with Jersey Community Partnership, and feedback from Jersey Child Care Trust, Macmillan and Brighter Futures.

FOR JERSEY CHARITIES
Working with Jersey Community Partnership we are able to provide a collabrative approach and shared cost, greatly reducing the price of compliance and improving the quality and standard of service to Charities.

ABOUT TIM ROGERS
Tim Rogers is a Management Consultant supporting process and business change. He is a specialist in governance, compliance, procedures and risk, providing Tools, Templates, Training, and Technology to help Data Protection, GDPR and Information Security.

Board Awareness | Staff Training | Data Process Mapping | Data Process Impact Assessments | Compliance Audit Privacy Notices | Subject Access Requests | Breach Notifications | Data Controller Agreements | Data Processing Agreements

TimHJRogers@AdaptConsultingGroup.Com +447797762051