Putting best practice before regulation of data industry

Trade associations are sometimes accused of being little more than talking shops. The great and the good meet there, exchange phone numbers, murmur about some perceived challenge to their business and head off for lunch. To some extent, every such body goes through phases like that, usually when the industry it represents is sailing through calm waters.

For the Direct Marketing Association, lunch is most definitely postponed and the urgent talk is all about icebergs ahead. As Robert Keitch, director of media channel development and environmental affairs at the DMA puts it: “The policy maker seems to have come alive in the last year or so and is using a tone and style of language that I have not heard before in my four years here.”

The slate of issues which the DMA is trying to co-ordinate its members responses to is certainly wide-ranging. At the sharp end, the Information Commissioner’s Office publishes a consultation paper on its Privacy Online Code of Practice on 9th December which Keitch says, “we are very keen to get hold of”.

The Commissioner is also lobbying government hard to be given the power to impose substantial financial penalties on organisations who allow data security breaches. At the softer end, the ICO is in the middle of consulting over how organisations can make the business case for building privacy into their processes.

If that were not enough, there is a likely review of the Data Protection Directive and the Privacy in Electronic Communications Regulations to come. As background to all of this, the European Commission is taking the UK Government to court over online privacy and the media has been full of the biggest data loss (by T-Mobile) since the HMRC affair.

Of the ICO privacy consultation, Keitch sees it as a potential turning point. “It is one thing for the DMA to say what is best practice. It is another for that to be applied across the whole spectrum of industry, not just at the top end,” he says.

Keitch is happy that the ICO is developing a code of practice, rather than looking for more regulation. “If it follows our own style of Code of Practice, that is a positive statement about what could be done, not just what should be done,” he says.

DMA influence on the type and style of governance that gets applied by official bodies should not be under-estimated. The Association is a preferred consultee of the Office of Fair Trading and has a long-term relationship with that regulator. Its framework of providing members with guidance on how to meet the intended spirit of any rules is used as a benchmark for future developments.

“The whole area has three levels. At the top is regulation and legislation. That is black and white, whether the law is good or bad, and everybody understands what is involved. In the middle is self-regulation,” he notes. The bottom layer is current practice that is currently not covered, but which could become of interest.

“What’s being purshed here is largely in that space. We got a sight of that in the Financial Services Authority’s Treating Customers Fairly principles. They start from the position that if there is any doubt about an activity, the regulator will find in favour of the consumer,” he says.

An organisation may not have broken a law or even overtly breached a self-regulatory principle, but could still be fined or required to remediate a situation. This view is spreading rapidly into the arena of data privacy and security. Organisations may be compliant and operating legally, yet still suffer an incident that leads to corrective action.

“T-Mobile’s theft tarnishes the legitimate part of the data market. It is one thing to be caught out when buying in a file, but if it involves knowlingly using contaminated data, that is a real problem,” says Keitch.

Such practices are perhaps more clearly in breach of fair practice principles – and possibly the law. Where there is currently a large grey area is the online data capture space and its associated use of behavioural targeting. This has become a matter of some concern to the European Commission which has realised that existing laws largely pre-date widespread use of the Internet.

Keitch believes the PECR review will revisit the question of browser settings and cookies and points to Google’s recent launch of its Dashboard control panel as indicating the sensitivity among media owners about the issue. “They are the first mover and can do more than any other organisation to get advertisers to adhere to principles, whether they want to or not,” he says.