While we are a fun loving and generally easy going group of people here at Tower, we also work hard to ensure everything we do is honest, fair and – obviously – in compliance with the law. Recently, there was some big news for those of us who work with information – Cayman’s new data protection law was gazetted in early June, bringing much needed regulation to the movement of personal data between consumers, businesses and other third parties.
So will your business will be compliant with these new laws? Where do you even start? Not to worry, Tower has your back. The good news is that the law is not yet in effect, giving you and your business around twelve months to bring your practices in line with the new regulations. Consumers should also pay attention to the new law, as you should be fully aware of your rights and what to look out for when it comes to giving your information to a business. For marketers, some of the relevant areas we collect personal information include social media, direct marketing such as subscriptions for newsletters and eblasts, competitions, and to some extent, market research.
Under the new law, personal data is defined widely to include any data which enables an individual to be identified. Personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the consumer in advance.
From a marketing perspective, at its most basic form the new data protection law requires the ‘data controller’ (the person who collects and then determines how the data will be processed) to tell the ‘data subject’ (consumer) how they are going to be using the data and, if they will be sharing it, who the data might be shared with and for what purposes. This information is usually communicated through a ‘privacy notice’. Transparency will be key with this process and the data subject should be given a clear method for opting out of receiving direct marketing at all stages. This means not to fall into the trap of ‘bundled consent’ meaning you force the consumer to opt-in to something they don’t want, to get something they do (ie. an opt-in check box that covers multiple communications when a consumer may only want to receive one).
If you intend to share or sell the data you’ve collected, it’s extremely important for you to be aware that, as the data controller you will be liable for any breach of the new law, even if it’s a third party partner who is responsible for the breach. To protect you as the data controller, personal data should only be shared with the consent of the data subject and on the terms set out in the privacy notice. If personal data is to be processed for any new purposes, this processing can only be undertaken if fresh consent is obtained. Contractual provisions should be put in place between you and any third party processor restricting use of that data for the specified purposes and to show that you have taken steps to protect the personal data you have collected.
Here is a checklist that will help you get on the right track to being a successful data controller:
- Obtain consent – always issue a privacy notice which clearly sets out how an individual’s personal data will be used and shared; include an opt-out ability for direct marketing purposes and carefully record all opt-outs. Always ensure the language is clear, easy to understand and not hidden away in ‘small print’
- Be mindful when selling or buying lists – ensure your third party seller/buyer is reputable, keep the general theme of the materials similar between collector and third party (i.e. don’t use a list for an art event for a financial services industry member), ensure the third party has records of where they obtained the data and, if they are selling the data, that they have adequate consents to do so and protect yourself with a contract
- Use your own lists properly – always make it clear who the communication is coming from, have procedures to deal with inaccuracies or complaints, only use your data for its outlined and agreed purpose, include an opt-out function with each communication, don’t use bundled consent
We are excited to see legislation around data protection in the Cayman Islands come to fruition and begin to be taken seriously. This is a logical and necessary next step for us as a country who pride ourselves on being ahead of the curve.
A final thought. Following best practice in managing your customer’s data not only makes you a responsible organisation and keeps you within the law, but will produce more effective marketing results. Blasting customers with emails they’ve not signed up for and don’t want, will not improve your conversion rates and ROI. It only leads to bounce backs, hurts the domain reputation and sullies your relationship with the people you’re trying to reach. Using data that is clean, complete and up-to-date means your messages will reach the right people and will help in marketing conversion. And when your target audience is open and willing to receive communications from you that is relevant and timely to them, your marketing will yield the best results.
Note: A big shout out to the guru of all things privacy and data protection Peter Colegate, Senior Associate at Appleby. Peter and I had a long and interesting discussion which helped me better understand the new law and its implications for marketing in Cayman. Thanks Peter.