General Data Protection Regulation (GDPR)
Simunix source their marketing data from REaD Group who is the UK's leading independent data communications agency.
1. Data Compliance
REaD Group captures and gathers permissioned personal data from the Edited Electoral Register and a number of select U.K. based data contributors (both online, offline and telemarketing campaigns) via customer, customer satisfaction and lifestyle surveys, mail order, purchase/warranty card responses and offers and competitions websites. The data is sourced from a wide range of sectors such as financial, retail, lifestyle/household and technology. The data is collated, validated, verified, screened and enhanced then combined into a series of databases from which extracts of data may be provided under contract to REaD Group's business partners and clients.
As part of their governance and data compliance practices, all of REaD Group's current and prospective data contributors undergo rigorous Data Compliance due diligence audits on an annual basis organised by their Data Protection Office (DPO) to maintain continual compliance. The company have a team of employees with many years' experience handling data in the direct marketing world, with skills in database construction, data processing, customer service and regulatory matters.
2. Current Data Contributors
The DPO Team carries out Data Compliance Due Diligence Audits at least annually taking into account the performance, quality, accuracy and compliance of the data supplied and the number of data subject enquires and complaints and their subsequent outcomes. The data contributor completes a Data Compliance Due Diligence Audit form and is required to pass the audit in order to continue to be able to supply REaD Group with compliant data feeds. The DPO also carry out ad hoc checks on data provided by data contributors. They take randomly selected personal data records and request the data contributor to provide details of when and how the data subject's permission for their data to be passed onto companies to use to market to them, was obtained.
If DPO Team's findings are unsatisfactory, i.e. the data is not DPA and PECR compliant, the data shall be removed from REaD Group's database and the matter investigated further, taking into account all the data provided by that particular data contributor.
3. Prospective Data Contributors
When REaD Group are sourcing new data contributors to provide permissioned personal data they look for established, U.K. based companies who are able to consistently provide reasonable quantities of DPA and PECR compliant personal data. The companies are subject to various procedures and are required to pass a Data Contributor Due Diligence Audit, similar to the audit applied to current data contributors. The companies who pass the procedures are appointed as data contributors, subject to signing a REaD Group contract in which they confirm that the personal data they shall supply is compliant with DPA and PECR.
4. Due Diligence Audits
The audits for existing and prospective data contributors include the following verifications and checks for DPA and PECR compliance:
- Contributor's legality, location and contact details;
- Contributor's Professional membership and certifications (ICO, DMA, ISO) registration;
- Contributor's accreditations;
- How contributors deal with enquiries, complaints, data subject access requests etc.
- Data dictionary and file layout with volumes by channel with the original date of data capture together with the latest date of engagement.
5. How REaD Group keep their databases DPA & PECR compliant?
Before any data is added to a REaD Group database, all steps are taken to verify and validate the records by channel using existing data and third-party resources. The satisfactory data is then:
- de-duplicated and formatted;
- screened against PAF;
- screened against in-house suppression records and other in-house files (Gone Away Suppression File, The Bereavement Register, Qinetic), and other industry suppression files, including TPS and MPS;
- Cross checked and where appropriate all data referring to the one individual is combined.
REaD Group databases are screened weekly against TPS and monthly against MPS and inhouse suppression files, The Bereavement Register, Qinetic) and other industry suppression products. The Databases are refreshed quarterly using the latest in-house and third-party data contributor supplies of permissioned personal data.
6. Information Security Management
REaD Group are ISO27001 certified and have a fully operational information risk assessment process in place. Information security is governed by an internal ISMS steering group who meet on a weekly basis. The groups Statement of applicability (SOA) and ISMS objectives are available on request. Roles & Responsibilities are clearly defined within their internal ISMS systems. Escalation routes are defined for coordinated responses for crucial processes (such as, compliance monitoring, incident response etc.), with ISMS stakeholders being listed within the escalation routes. These roles are updated continuously and reflected within the ISMS management system (for example, changes in senior leadership mid-cycle is reflected immediately within the Information Security Policies).
7. Staff Compliance
REaD Group staff undergo Data Protection, Anti-bribery and Information Security training as part of their induction. Staff are required to read and sign a declaration agreeing to comply with the Information Security policies within the Information Security Handbook and ISMS - Training on specific areas of information security and data protection are appropriate to an employee's work. Staff also receive annual refresher training to ensure they are informed of any regulatory, legislative and statutory updates.
8. Professional body memberships & accreditations
REaD Group are registered with the ICO, DMA hold DMA Data Seal and ISO27001 certification. In addition, they have representation on a number of DMA boards & Councils (more information available on request).
ICO Membership Number: Z6778302
MOJ Membership Number: CRM41372
Companies House: 02959244
9. REaD Group's view on the ICO'S GDPR consent guidelines
'The ICO's recent interpretation of how consent can be obtained under the GDPR has caused a furore. This has understandably led to concern as well as raising a number of questions. Not least of all – is the data you are buying still legally compliant? Today? Tomorrow? And perhaps more importantly, will it remain so come the 25th May 2018?
We hope the following will help set your mind at rest that everything we are doing at REaD Group is, and will always be, compliant.
Firstly, there is a great deal of confusion around the ‘use' of personal data today and in the days leading up to 25 May 2018. The prevailing law around digital channels is covered by the Privacy & Electronic Communications Regulation (PECR), for postal communications this is governed by the 1998 Data Protection Act (DPA). The use of personal data for digital marketing is already ‘opt-in' - you will have noticed that the vast majority of fines issued to date relate largely to mass SMS and email broadcasters.
The ICO is, rightly, dealing with (what they term as) the “bad actors” before moving onto the issue of wider compliance. One big challenge we may have to face over the next 14 months is preparing for the possibility of a move from an opt-out to an opt-in for all direct marketing.
At REaD Group we have been working towards adopting GDPR standards since reading the final published regulations in May 2016. We have reviewed and improved our own data collection methods, our contributor due diligence processes and have enhanced our own internal IT solutions. From a data supply perspective we now insist that data is permissioned correctly and clearly evidenced. We already expect consent to be in line with the GDPR Article 4(11) “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
"The Oracle", our central IT solution, is designed with the above requirement and privacy in mind and will record the specific consent statement applicable to every collected piece of personal data. Our goal is to be able to provide the actual statement for each part of the personal data we hold. Until now we have considered that, for digital marketing, a consent for the use of personal data in a named vertical sector is informed and unambiguous.
However, the ICO guidance on consent provided on 2 March 2017 suggests that this will not be specific enough. We do not agree with this and have presented our views to the ICO – as have the DMA and other companies. Remember: GDPR is an incoming regulation and up until its enforcement, the existing rules will still apply to both direct mail and the digital sector.
REaD Group remains supportive of the GDPR. We believe it will deliver a better disposed and more engaged consumer, which should be mutually beneficial for both brands and MSPs. We do not support the stance being taken by the ICO which currently seems intent on going well beyond the requirements described within the regulation.'
We will be working hard over the intervening period to ensure that the implementation of GDPR allows brands to continue communicating with both customers and prospects in a collaborative and transparent manner that is based on respect and mutual consent.
10. In response to the ICO direct marketing guidelines
Below are REaD Group's responses to the questions the ICO recommends you ask companies when working with direct marketing. For this reason there may be some overlap with the official statements above.
Who compiled the list? When? Has it been amended or updated since then?
REaD Group captures and also under contract gathers, permissioned personal data from the Edited Electoral Register and a number of select U.K. based data contributors. The data is collated, validated, verified, screened and enhanced and then combined with other data into a series of databases from which extracts of data are provided under contract to business partners and clients. Databases are refreshed quarterly using the latest in-house and third party data contributor supplies of permissioned personal data intern the databases are screened weekly against TPS and monthly against MPS and inhouse (Gone Away Suppression File, The Bereavement Register, Qinetic) and other industry suppression products.
When was consent obtained?
At time of data capture. Acxiom and Active's contributors update their bases quarterly and suppress monthly.
Who obtained it and in what context?
As above consent is obtained by our data contributors.
Acxiom – consent collected at point of data collection – on surveys/questionnaires and also from warranty cards also used for data gathering.
Active – built up of 12 key contributors (Credit Reference Agencies + Electoral Roll etc.) . We undergo a vigorous due diligence practice with each supplier to ensure we are satisfied with how consent was obtained.
What method was used – eg was it opt - in or opt - out?
A combination of both, in line with the current Data Protection legislation. As per our GDPR statement we are currently reviewing each contributor to ensure they will be in line with GDPR policy.
Was the information provided clear and intelligible? How was it provided – e.g. behind a link, in a footnote, in a pop - up box, in a clear statement next to the opt - in box?
Yes. As per consent samples with clear privacy policies – these can be seen in our Consent library (available on request)
Did it specifically mention texts, emails or automated calls?
If applicable, this would be detailed in the consent statements.
Did it list organisations by name, by description, or was the consent for disclosure to any third party?
As per consent samples with clear privacy policies. This varies per contributor and their different consent statements and depending on the channel opt-in.
Has the list been screened against the TPS or other relevant preference services? If so, when?
Databases are refreshed quarterly using the latest in-house and third-party data contributor supplies of permissioned personal data intern the databases are screened weekly against TPS and monthly against MPS and in-house (Gone Away Suppression File, The Bereavement Register, Qinetic) and other industry suppression products.
Has the individual expressed any other preferences – e.g. regarding marketing calls or mail?
As per attached consent sample library (available on requests)