Businesses see customer relations as the next step in maintaining
competitive edge.
Nicola McKilliganBut be warned that pulling together personal information from a
variety of sources could mean companies are breaking the law.
Have you been involved in customer relationship management (CRM)
database projects recently? If you work in IT in any
customer-focused environment, then chances are the new drive toward
better CRM will have affected, to some degree, the projects you are
working on.
Personalisation
CRM is transforming the culture of many businesses with the
emphasis changing from product-focused company strategies to
customer-defined ones. Central to the success of CRM is the
personalisation of services. Customers must be offered the services
they want and which are right for them or they will go elsewhere.
Technology supports successful CRM because it enables organisations
to draw together information from different parts of their business
that can be combined (typically in a single data warehouse) so a
complete overview of the customer can be created.
Mining and profiling techniques can then be used to discover
trends in customer activity which can be added to this overview to
enrich the data held. But as useful as these personalisation
techniques are in targeting people with appropriate marketing
messages or services, data used in this way can present serious
privacy and data protection risks. Those developing such systems
should be aware that privacy legislation in the form of the Data
Protection Act 1998 is likely to restrict the potential of such
databases or influence the way in which they are developed.
Merging data
Most CRM databases are developed on the assumption that data
from all parts of the business can be merged but this may not
always be true. Under the 1998 Act, businesses need legitimate
grounds for processing customers' personal details.
It is often enough for an organisation to demonstrate a business
need for the processing. This will not be the case if processing
presents a risk to the customer's privacy or if sensitive data
about the customer, such as information on health, race or religion
is processed. For example, someone's explicit consent may be needed
if information about a heart condition collected from an insurance
policy application becomes part of a database to be used for
marketing purposes.
Data protection law also dictates that personal information
collected for one purpose cannot then be used for an incompatible
one. This means wider uses of combined data envisaged when
developing a CRM database may be compromised if the person was not
informed of these wider uses at the time of providing the data. If
the person's consent cannot be obtained to the wider processing,
then parts of the customer data may have to be "ring fenced". Such
issues must be addressed at the earliest stage in a CRM database
project to avoid proceeding with an over-optimistic business
case.
E-CRM strategies can raise additional data protection concerns
as they also add Web-based profiling information to the customer
overview. Such information is often obtained without the customer's
permission or knowledge using cookie-based tracking technologies,
regarded as unfair processing under the legislation.
Irrelevant information
Companies online and offline should also beware of adding
irrelevant or excessive information about customers to CRM
databases. If there is no strict requirement to hold the
information for the organisation's purposes then a breach of the
1998 Act will occur. This is a danger when information volunteered
by a customer is added to a database, for example, where details of
hobbies are provided during a telephone conversation and added to a
CRM system as part of the call transcript.
E-CRM and international CRM databases may also fall foul of the
law if data collected from European Union (EU) citizens is
transferred or added to a database outside the European Economic
Area. The 1998 Act restricts transfer to countries outside EU
jurisdiction unless an adequate level of protection for that data
can be demonstrated. Contracts may sometimes be used to safeguard
data or the transfer may be allowed where the country in question
has similar legislation in place. But if adequate protection cannot
be shown, then the customer's informed consent to the transfer must
be gained.
However, the news is not all bad for CRM from a data protection
view. In many cases, the quality of data may be improved when
combined on a CRM system as inaccuracies and out-of-date
information should be easier to correct and remove. The maintenance
of data within a single data warehouse should make it easier to
respond to subject access requests (the right accorded to all
individuals to obtain an intelligible copy of all information a
company holds about them for £10).
Combining databases
The concern remains as companies rush to combine existing
customer databases into a single data warehouse that unrealistic
expectations are being created as to the extent to which personal
information can be used. Unwary organisations could find themselves
investing in solutions which the law may ultimately prohibit.
CRM guidelines
- Restrict uses of data to companies customers have already been
informed of
- Be prepared to "ring fence" data that has been collected for
different purposes
- Be aware that customers have the right to prevent processing
which causes them damage or distress and to prevent processing for
marketing purposes
- Only process information strictly required by the
business
- Be aware international databases may present particular
problems.
BSI discount offer
If the above sounds daunting, BSI-Disc, in conjunction with the
Data Protection Commissioner has published practical guidance on
the Data Protection Act.
As a special offer to Computer Weekly readers BSI-Disc will give
a 5 % discount on its Data Protection Update Service.
For further details, contact BSI on 020-8996 9001 and quote
reference No: Z22 or visit www.bsiglobal.com/dataprotection.