Keeping secrets?

Businesses see customer relations as the next step in maintaining competitive edge.

Businesses see customer relations as the next step in maintaining competitive edge.

Nicola McKilligan

But be warned that pulling together personal information from a variety of sources could mean companies are breaking the law.

Have you been involved in customer relationship management (CRM) database projects recently? If you work in IT in any customer-focused environment, then chances are the new drive toward better CRM will have affected, to some degree, the projects you are working on.


CRM is transforming the culture of many businesses with the emphasis changing from product-focused company strategies to customer-defined ones. Central to the success of CRM is the personalisation of services. Customers must be offered the services they want and which are right for them or they will go elsewhere. Technology supports successful CRM because it enables organisations to draw together information from different parts of their business that can be combined (typically in a single data warehouse) so a complete overview of the customer can be created.

Mining and profiling techniques can then be used to discover trends in customer activity which can be added to this overview to enrich the data held. But as useful as these personalisation techniques are in targeting people with appropriate marketing messages or services, data used in this way can present serious privacy and data protection risks. Those developing such systems should be aware that privacy legislation in the form of the Data Protection Act 1998 is likely to restrict the potential of such databases or influence the way in which they are developed.

Merging data

Most CRM databases are developed on the assumption that data from all parts of the business can be merged but this may not always be true. Under the 1998 Act, businesses need legitimate grounds for processing customers' personal details.

It is often enough for an organisation to demonstrate a business need for the processing. This will not be the case if processing presents a risk to the customer's privacy or if sensitive data about the customer, such as information on health, race or religion is processed. For example, someone's explicit consent may be needed if information about a heart condition collected from an insurance policy application becomes part of a database to be used for marketing purposes.

Data protection law also dictates that personal information collected for one purpose cannot then be used for an incompatible one. This means wider uses of combined data envisaged when developing a CRM database may be compromised if the person was not informed of these wider uses at the time of providing the data. If the person's consent cannot be obtained to the wider processing, then parts of the customer data may have to be "ring fenced". Such issues must be addressed at the earliest stage in a CRM database project to avoid proceeding with an over-optimistic business case.

E-CRM strategies can raise additional data protection concerns as they also add Web-based profiling information to the customer overview. Such information is often obtained without the customer's permission or knowledge using cookie-based tracking technologies, regarded as unfair processing under the legislation.

Irrelevant information

Companies online and offline should also beware of adding irrelevant or excessive information about customers to CRM databases. If there is no strict requirement to hold the information for the organisation's purposes then a breach of the 1998 Act will occur. This is a danger when information volunteered by a customer is added to a database, for example, where details of hobbies are provided during a telephone conversation and added to a CRM system as part of the call transcript.

E-CRM and international CRM databases may also fall foul of the law if data collected from European Union (EU) citizens is transferred or added to a database outside the European Economic Area. The 1998 Act restricts transfer to countries outside EU jurisdiction unless an adequate level of protection for that data can be demonstrated. Contracts may sometimes be used to safeguard data or the transfer may be allowed where the country in question has similar legislation in place. But if adequate protection cannot be shown, then the customer's informed consent to the transfer must be gained.

However, the news is not all bad for CRM from a data protection view. In many cases, the quality of data may be improved when combined on a CRM system as inaccuracies and out-of-date information should be easier to correct and remove. The maintenance of data within a single data warehouse should make it easier to respond to subject access requests (the right accorded to all individuals to obtain an intelligible copy of all information a company holds about them for £10).

Combining databases

The concern remains as companies rush to combine existing customer databases into a single data warehouse that unrealistic expectations are being created as to the extent to which personal information can be used. Unwary organisations could find themselves investing in solutions which the law may ultimately prohibit.

CRM guidelines

  • Restrict uses of data to companies customers have already been informed of

  • Be prepared to "ring fence" data that has been collected for different purposes

  • Be aware that customers have the right to prevent processing which causes them damage or distress and to prevent processing for marketing purposes

  • Only process information strictly required by the business

  • Be aware international databases may present particular problems.

    BSI discount offer

    If the above sounds daunting, BSI-Disc, in conjunction with the Data Protection Commissioner has published practical guidance on the Data Protection Act.

    As a special offer to Computer Weekly readers BSI-Disc will give a 5 % discount on its Data Protection Update Service.

    For further details, contact BSI on 020-8996 9001 and quote reference No: Z22 or visit

  • Read more on Business applications