Are you within the law? Managing your marketing and client data

Law firms are using marketing like never before to build presence in the marketplace and bring new business through the doors. Recent legislation, however, means that firms have to be more careful than ever to ensure that they use their clients’ data correctly. Michael Warren, client services director at Shamrock Marketing, explains why many firms are failing to comply to legislative change and what they should do to protect themselves and their clients.

Data-protection legislation and EU directives have significantly changed how law firms need to manage their marketing and client-contact data. The Data Protection Acts 1984 and 1998, and the Privacy and Electronic Communications EC Directive 2003 are the key drivers of current practice, and it must be remembered that the issues of data protection go much further than database management.

In this article, I will explore the impact of these legislative changes and directives on contact and data management. Our experience suggests that many firms are not really integrating the provisions into day-to-day practice and that this is cause for considerable concern. For example, many fee earners, reluctant to allow their data to be held on the central marketing system, are, in my experience, holding data on their client contacts that is in breach of the Acts. This would include details such as number of children, birthdays, spouse’s names, sporting likes and dislikes. While all of these can be held, specific permission must be obtained from the contacts, which is invariably not happening.

What I find interesting is that so many firms are too quick to delegate responsibility to the database administrator and do not see compliance with the legislation as a matter for the board to consider. The days when data-protection legislation predominantly related to consumer marketing are gone. In my opinion, firms are not taking this issue seriously enough and are, therefore, likely to upset their clients and be in breach of data-protection legislation.

Ask yourself the following questions to see how compliant your firm is with the law. If you can’t answer ‘yes’ to all of them, then you might have problems:

Our policy on data protection is clear, documented and accessible to all staff;
Our engagement letters clearly state our policies on data protection;
We have standard clauses for data protection that all staff use for all marketing communications, irrespective of delivery method;
We have a board member responsible for data-protection compliance;
We have recorded data-protection permissions on our database;
Our data is accurate, not excessive and has been gathered fairly and lawfully;
Fee earners do not hold private personal information on their clients that they use for marketing or business-development purposes.

The scope of data protection

The issues of data protection go much further than just database management. Firms have to consider their use of data from the start of any relationship with their clients. There must be suitable clauses in the engagement letters or terms and conditions of business that describe what will be done with the information.

You are not allowed to use terms of business that require a person’s consent to use their data for direct-marketing purposes or to disclose information about them to third parties. For example, you must specifically give the data subject an opportunity to opt out of these clauses, and cannot deem consent due to signature of the terms and conditions of business, without a specific opt-out clause. In relation to highly personal information, such as may be needed for the execution of the business for which your firm has been engaged, you must specifically include opt-in clauses if you wish to use this information for marketing purposes. Use of this data solely for the purpose of the execution of the work, for example, holding a contact’s financial details to undertake an engagement, are exempt from the Act as they are not being used for marketing purposes.

Sharing data with third parties, such as accounting firms with whom you are planning to undertake a joint seminar, is a common enough practice. This is something that many firms do, and most are not compliant with the Act in this area. It is advised that separate clauses for sharing information with third parties are included in all correspondence. This does not just include the physical mailing of letters, it includes common-place practices, such as sharing of lists for the purposes of ‘cross-checking’ or ‘suppression’ – this cannot be done without the express permission of the data subject.

Before highlighting good practice and offering any advice on how to tackle these issues, it’s important to start with some general points that are often misunderstood or misinterpreted in relation to the Act.

Definition of direct marketing

The principles of the Data Protection Act 1998 are relevant to direct-marketing communications. This is defined in the Act as: “The communication (by whatever means) of any advertising or marketing material, which is directed to particular individuals.”

Direct marketing also does not just relate to sale of goods or services, but also applies to the promotion of an organisation’s objectives or aims. Therefore, it includes contacting living individuals, be they private clients or contacts who work at an organisation, in order to undertake activity covered by this definition.

Key provisions of the Act

So, what does the Act actually dictate in terms of practice? Although there are eight principles in the Act, I have highlighted the following five, as most firms have issues specifically relating to these areas:

Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless the data subject has given consent to the processing, the processing is necessary (contractually), or is in compliance with a legal obligation, or is to protect vital interests or is for the administration of justice;
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
Personal data shall be accurate and where necessary kept up to date;
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.

The impact of these principles

One of the critical issues is the nature of consent. Consent is actual evidence of an opt-in or, where applicable by law, where the subject has previously given consent and has subsequently been given every opportunity to opt-out, but has not done so. Do not confuse this with data-protection mailings that are undertaken to gather consent from those for whom you do not already have it. Failure to opt-out to a mailing such as this does not constitute consent on the part of the subject. So carefully consider your overall strategy before spending large amounts of money mailing people to ask them if you can keep them on your database.

Another key area that must be addressed is contractual obligations. The onus of data security is firmly on the data controller, who must have a written contract with any organisation that is to undertake any processing of their data for the purposes described above. This means that a written contract must be in place that states both parties’ obligations under the Act and describes clearly what work is being undertaken. For example, should you wish to ask an agency to undertake lead follow-up work for you, or event-response handling or mailing fulfilment, all of the appointed agencies must, by law, have a written contract with you.

Who is responsible for data protection?

Too many firms believe that data protection is the sole responsibility of the CRM or database manager. This is dangerous, as issues of data protection go much further than this. Firms have to consider data protection from the start of any relationship with their clients. It is essential for anyone given the data-protection role that there is buy in from the board down, and that your firm’s policies and protocols are documented and made available to all employees. This is one of the first things that the data protection commissioner will look for – evidence that you have attempted to explain your policies to your staff.

Are you gathering and recording consent?

The first principle could not be more straightforward: it clearly states that data processing shall be fair and lawful and gathered with the consent of the data subject. Firms must have a clear plan in place for obtaining consent from subjects if they do not respond to mailings or, alternatively, for removing them from the database. Many firms have engaged their fee earners right from the start, explaining to them that consent should be sought as part of initial discussions with a potential client about their interests and the services the firm might offer them, even in an informal atmosphere such as a dinner or an event. This can then be confirmed simply in an e-mail or letter to follow up the initial contact.

Do fee earners gather data indiscriminately?

The third principle of the Act states that the collection of ‘just in case’ data that might be useful in the future is not acceptable. What this means is that the gathering of business cards at events to add them to the database for future reference is specifically not allowed. This is one of the strongest arguments for a centrally driven data-management policy. Fee earners should understand that while they own relationships, they do not own data. This is a firm asset and should be treated as such.

Keeping your data up to date

The fourth principle of the Act states that information must be accurate. Many firms consider data accuracy at the point of implementing CRM or contact-management systems, but do not have a specifically defined set of processes for maintaining it thereafter. Some do not even consider it all. Many firms rely solely on mailing returns, even though research suggests that postal returns are highly unreliable.

Retaining client data

The Act states that data cannot be retained for longer than is necessary or reasonable, but firms do not run audits on a sufficiently regular basis to identify contacts with whom they are no longer communicating. It is essential that firms regularly analyse their data in terms of when it was last updated or used and have a strategy for dealing with the rest.

Looking ahead

Complying with legislation is a must, but there is enough evidence to suggest that this may not be the case. If the fact that so few firms were compliant with the 1998 Act were not enough, recent changes in legislation from the EU have made things even more complicated. The Privacy and Electronic Communication Directive, which came into effect in December 2003, now requires proactive opt-in to electronic communications. Firms are required to scan their business databases against a telephone-preference service, the service whereby telephone numbers can be registered by the subject to avoid unsolicited calls. This legislation previously only covered private individuals, sole traders and partnerships.

Firms must take heed of legislation. To date I have not heard of any client complaints or actions against firms, but, as ever, it is better to have clear strategies and procedures in place to avoid such actions becoming possible. No firm wants to be the first to be prosecuted for breach of data-protection legislation.

Michael Warren is client services director at Shamrock Marketing. He can be contacted by e-mail at michaelw@shamrock-marketing.co.uk.