I am delighted to introduce Tim Sainty, Head of Membership at the British Veterinary Association (BVA). Let’s see what Tim has to say on this important topic.

A meander through data protection….

(Opinion Piece by Tim Sainty)

You don’t need to have been following the Ashley Madison* data leak story closely to understand the importance of having adequate data security measures in place.

Still, in this modern day morality tale, it is somehow reassuring to read that UK lawyers are expecting a windfall

following the customer data released. As an aside, I happened to look up the “top divorce lawyer” quoted in the linked article and, on the subject of responsible use of data, must record my gratitude for the subsequent thoughtful advertising titled “Britain’s Top Divorce Lawyer, Act Now” that popped up when anyone was using the laptop afterwards.

Moving on… a quick tour around Association/ Institute websites shows that;

  • Almost all now include access to customer self-service/ account control, implying integration with CRM or membership database systems
  • The sector has responded to the rise of digital and how it can be used to deliver and increase accessibility to our services/ benefits
  • Thankfully, none I found were yet integrated with interest-based advertising programs!

Having recently led a project to deliver a new website and integrated CRM platform at BVA, I became very familiar with the need for a reasonable Privacy Policy if your website collects users’ data. I refer to this as the one page of the site that is even more boring than the Terms and Conditions but the truth is that it is essential to provide users with clear information on how their data will be processed, retained, shared and removed if necessary.

As I wrote earlier that a visit to a divorce lawyer’s website has influenced the online advertising I am now receiving, I won’t compound the error by visiting Ashley Madison to check this, but I am pretty confident that they will have had a privacy policy of their own in place. A policy on its own isn’t enough of course. When collecting personal data and processing payments it is essential that you add a security certificate to the relevant section(s) of your site. This will set the web address to https and will allow secure connections between your site and the browsers of its users. It is also very helpful to subject yourself to the rigours of penetration testing. This will involve hiring an independent company to essentially try and identify the security weaknesses you may have (including your compliance with the policies you set). Just make sure you set budget aside to implement the subsequent recommendations you will undoubtedly receive!

The website is a window into your activities, but the data handling processes really take place in your back office systems. As a Head of Membership, I have naturally been an advocate for introducing a Customer Relationship Management (CRM) strategy through the organisation. Moving from a database that only two of us could access, to one that was still useful to the two of us whilst being shoehorned into the role of another handful of people, to one that can finally be usefully integrated into the day-to-day roles of staff from across the business provides us with a fantastic means of developing our understanding of our members (and those who are soon-to-be our members but just don’t know it yet).

Not only this though; a single CRM platform replacing those departmental and indeed individual staff member user contact lists, spreadsheets, Outlook contacts etc. provides for a much more robust system of data management and means we can more realistically set policies to adhere to the eight data protection principles.

I can’t believe I have reached this point and still haven’t mentioned EU Data Protection Regulation (EUDR). In terms of getting ready for it, the good news is that it is currently delayed and now unlikely to be introduced until summer 2016, but when it does arrive it will be a real game changer in how we all have to handle the data of prospects and our existing customers (read members). The prospect of a 5% of annual turnover fine for not seeking and renewing explicit consent to store and utilise personal data certainly concentrates the mind, and now is already the time to start thinking about and auditing your collection, storage and use of data, current customer consent policies and a customer’s right to be forgotten. These are not things that can be switched on to compliant overnight and getting it right is going to be another burden on all of our resources.

It sounds a lot but don’t forget, if all else fails, then just pick up the phone and call your Data Protection Officer. You do have one, right?

* In fact, I hope you don’t need to have been following the Ashley Madison data leak story closely for any reason at all…