Privacy notices are not an unlimited licence

Doing something right is not the same as doing the right thing – especially when it comes to privacy and data protection. Many in the world of data management and marketing are rather selective when it comes to what they will admit to and what they don’t want to face up to.

Two separate initiatives by the Information Commissioner’s Office highlight this gap – the latest Code of Practice on Privacy Notices and the handbook on Privacy Impact Assessment (PIA). Both show how keen the ICO is to make it as easy as possible for companies to understand how to be compliant and especially to communicate what measures they are taking.

Privacy notices are the frontline as far as data collection is concerned. They are the point at which a company says what it intends to do with data that has been collected. What the ICO wants is for notices to be clearer and more informative for data subjects, rather than being written from the point of view of giving the data controller legal protection.

There is no reason for these two things to be mutually exclusive. Indeed, the vast majority of practitioners are confident that they already get it right. When Acxiom hosted an event for privacy experts in marketing to discuss the new Code of Practice, it asked participants about their current procedures – 90 per cent believed they were already protecting personal information adequately through regular improvements to security measures and privacy policies. Forty-five per cent did not expect the new guidance to have an impact because of what they already had in place.

That is encouraging and should also reassure customers about what happens to their data when it is collected. Except that the ICO’s other publication about PIAs is not only far more challenging, it is also barely being talked about.

Designing for privacy is a concept that the ICO has been promoting strongly and assessing what impact a data security breach would have on the data subject is part of that drive. To reduce the downside risks, there has been a strong emphasis on limiting what data is collected and for how long.

Those are key principles in the Data Protection Act, yet they are probably the least acted on. Organisations have a ravenous appetite for data and are eager to collect all they can get. The idea of actually deleting data simply does not feature in most data management routines.

So you can tell an individual all you like how safe their data will be. That is not the same as accepting limits on how much of their data is needed. Until that changes, data subjects are right to mistrust the industry.

Latest from Marketing Week


Access Marketing Week’s wealth of insight, analysis and opinion that will help you do your job better.

Register and receive the best content from the only UK title 100% dedicated to serving marketers' needs.

We’ll ask you just a few questions about what you do and where you work. The more we know about our visitors, the better and more relevant content we can provide for them. And, yes, knowing our audience better helps us find commercial partners too. Don't worry, we won't share your information with other parties, unless you give us permission to do so.

Register now


Our award winning editorial team (PPA Digital Brand of the Year) ask the big questions about the biggest issues on everything from strategy through to execution to help you navigate the fast moving modern marketing landscape.


From the opportunities and challenges of emerging technology to the need for greater effectiveness, from the challenge of measurement to building a marketing team fit for the future, we are your guide.


Information, inspiration and advice from the marketing world and beyond that will help you develop as a marketer and as a leader.

Having problems?

Contact us on +44 (0)20 7292 3703 or email

If you are looking for our Jobs site, please click here