One of the most popular presenters on one of the most popular radio stations in Ireland recently launched a great idea – a loyalty card for his listeners. This card seems to be the replacement for his previous gimmick, a “Nudie Pen”.
Visit the radio station website (NewsTalk.ie, tell them your name, your address, your email address, your 3 favourite bands and your favourite foods and a piece of plastic featuring a picture of the host will wend its way to your door.
Simple.
At least it is unless you step back and think about the process from the point of view of Data Protection principles.
Personal data must be obtained and processed fairly for specific purposes. What are the purposes for which NewsTalk wants my personal data? If it is just to send me a card then we walk right into another issue – information gathered should not be excessive to that purpose.
So, if you are just sending me a card, why do you need to know my music and food preferences?
Sensitive personal data, such as data pertaining to medical conditions or political beliefs or ethnic origins is treated with more seriousness under the Data Protection Act. So, depending on the responses to those questions about music and favourite foods, sensitive personal data could be being processed.
The explanation of the loyalty card scheme that is on the NewsTalk website is great and in keeping with the light hearted nature of Tom’s show. However it doesn’t go far enough in explaining or setting out the purposes for which the data is being captured.
Other issues arise as a result of processing personal data via a website, such as the legal requirement to have a privacy policy displayed on the site and the data protection requirements of keeping the data safe and secure and only keeping it for as long as it is needed for the specified purpose. I’ll explore these in later posts.
It is all too easy to fall foul of the simple rules that exist to ensure trust and transparency in how personal data can be processed. Prior planning can ensure that Compliance is an enabler of business and customer interaction rather than a nagging fear of being caught dragging at your actions.
Taking out your Nudie Pen and mapping out what your information objectives, purposes, etc. are (see this tutorial on my company website for an example) is time well spent to make sure you aren’t creating a rod to beat yourself with. Using your Nudie pen to sign up for some Data Protection Training (such as that offered by the Irish Computer Society or my company) would also be a worthwhile step, particularly given the Data Protection Commissioner’s recent findings on the need for the management teams in businesses to be aware of the Data Protection implications of their actions.