Client marketers are increasingly outsourcing their data and data management to third parties. This can save the company time and make the database work far more effectively, that is, if you choose the right data partner.
Rushing into an arrangement with a company you know little about can be more detrimental than letting the database stagnate in-house as it could lead to fines, the prospect of getting sued and, or losing all of the data. To safeguard against these worst-case scenarios it’s best to learn as much as possible about the company, its policies and practice. Understanding these issues can make the difference between a happy or a disastrous relationship with a bureau or other data partner.
And what better way is there to get answers than asking the right questions?
1. Do you comply with data law?
The consequences of non-compliance with data protection legislation can be extremely serious get it wrong and it’s the client, not the bureau, that gets it in the neck, opening up the business to private and group prosecutions whereby they can be sued for compensation, receive a fine of up to £5000 and have the data removed.
At the very least you should ask to see your bureau’s data protection registration to see if they are registered under the appropriate sections of the act for your business, and that they comply with the eight principles of the Act, details of which you can find on www.information commissioner.gov.uk. So everyone knows who’s responsible for what, in your contract, you should state that you are the data controller, while the bureau is the administrator.
2. Who owns bespoke software?
If your bureau has created bespoke software or a bespoke database/model/application for any aspect of running your database, you need to know who owns that software. Clarify this at the beginning and it should eradicate the possibility of paying an extortionate price for the rights should you wish to change bureau.
3. Is your software certified?
Does your bureau holds certificates to prove that they are the licensed owners for all of the software that they hold? If not, the copyright police can seize your data.
4. How often is data backed-up? How often data backups are performed, where are the copies held, and how secure is that place? Many bureaux do their back ups externally ‘down the wire’ to another data firm. If this is the case you should be happy that this is a secure way of backing up, plus you will need to check the disaster recovery policy of the company receiving the data down the line.
5. How secure is the data?
Who has access to your data and the relevant passwords? The bureau should also regularly change passwords. Data should be held in a secure room only accessible by those who are cleared to do so. Also, transmitting data is now very common, especially via File Transfer Protocol, but you need to consider security implications as to facilitate this someone’s firewall needs to come down.
6. What happens to downloaded data?
Your may collect customer credit card data safely through secure online systems, but what happens when that data is downloaded? Bureaux should ensure that these details are kept in encrypted form, split between two servers.
Also consider what happens when the customers’ details are printed by companies which are fulfilling orders. Ensure paper-based information is kept under secure conditions for a defined amount of time, after which it should be shredded.
7. What’s the staff security policy?
Ensure that bureau staff sign a data information security policy so everyone knows the rules about who can do what with data. Your ownership of the data should also be clearly set out in a contract.
8. How often do you run virus checkers?
Your bureau should have up-to-date firewalls and virus checkers, which update every 10 minutes to ensure they recognise new viruses. It should not allow employees to download any software onto a computer to analyse your database unless it has been checked and approved.
9. What are the contingency plans?
You must ask to see your bureau’s business continuity plan to ensure that they are taking all reasonable steps to ensure the safety of your data in a disaster with contingency plans to ensure that your data can be re-created if necessary, within appropriate timescales.
10. What standards and accreditations do you hold?
Data is a serious business and your bureau should view it as such. Ask them what standards and accreditations they hold. For instance, do they hold ISO 17799 and ISO 9000: 2000 accreditations?
Indeed, if your bureau holds these it makes life much simpler as you will then know that they work to all the principles described above.