The Data Protection Act 2019 came into force on 25th November 2019 to regulate, govern and protect the use of an individual’s personal data. The Regulations giving effect to the Act also recently came into force namely, The Data Protection (General) Regulations, 2021; The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021; and The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021. This is a new area of law necessitating the need to know the changes you need to implement to ensure compliance. Failure to comply can lead to litigation, hefty fines and even jail time. Here are a few tips for your marketing team.
- Out with the Old, in with the new! – Those old mailing lists have to go. Unless, of course, you have proof that a client actually consented to receiving marketing and promotional content. Remember that the consent must be specific and voluntarily given. Obtaining consent deceptively or misleadingly is an offence which on conviction will attract a fine of up to KES 3 million or imprisonment for up to 10 years, or both. Obtaining consent will also ensure the people you are marketing to are actually interested in what you are selling; quality over quantity all the way.
- You don’t need to know your client’s favorite Netflix Show – Unless you’re in the business of movies, this is irrelevant information that goes against the principle of data minimization. Similarly, teach your marketing team to only collect the information needed to achieve your organizational goals…nothing more. This will not only cause you to be legally compliant but will lead to reduction in data storage costs and allow faster processing of data for business-critical processes.
- Quit saving your client information on excel sheets – Organizations are required to undertake processes to secure personal data. A client’s personal information should not be accessible to each and every employee. Furthermore, all sensitive data should be highly encrypted. The marketing team must be trained on confidentiality and ways to protect client information from unauthorized persons.
- Drop the dead weight- Do you really need all that client data? Under the principle of storage limitation, organizations are prohibited from keeping data longer than they need it. This will in turn help to comply with the data minimization and data accuracy principles. To determine how long data is needed, organizations must consider several factors including to what extent they need to keep a record of a relationship with an individual once that relationship ends, to what extent they need to keep information to defend themselves from possible future legal claims, industry standards and guidelines, and any legal or regulatory requirements.
- Listen to your client – Every organization wants their marketing team to go the extra mile to get more sales but where do we draw the line? Once a client opts out of promotional content, no need to go back there lest you have a lawsuit on your hands. Clients also have the right to be forgotten; once a client requests for their information to be deleted, the organization must take the necessary steps to do so if there are no legal impediments to such requests.
