Be a Good Data Steward

A number of high-profile data security breaches in recent years have been a strong reminder that responsible handling of data goes beyond compliance with existing laws. Data stewardship, says Ben Isaacson, privacy and compliance leader at information solutions firm Experian, headquartered in Costa Mesa, Calif., is more than just what you put on paper in your contracts and privacy policy. “It’s really how a company sets up a process by which it can manage data—and most of the time, what we’re talking about is personally identifiable information.”

Data security and privacy issues can be broken into three main areas: data procurement, data usage and data transfer, says Lou Mastria, chief privacy officer and vice president of public affairs at NextAction, a Westminster, Col.-based cooperative data solutions firm. Let’s look at some key issues marketers should understand to address these areas with care.

Data Procurement
When sourcing data for list rental or other business activities, the first thing to ascertain is who collected the information and is it a company that’s trustworthy. Ask for documentation, says Isaacson, that indicates the firm has done all the due diligence possible to acquire its data in an ethical and responsible manner. And when it comes to the where, what and how of data collection, he cautions marketers to remember there are two playing fields to evaluate: offline and online.

Given that the offline space has been dominated by data services companies with operations that go back decades, it’s easier to check the reputation of firms in this sector. Another factor to consider is that offline data doesn’t churn or migrate to new sources of information as quickly as it does in the online world, Isaacson points out, allowing marketers to get a better understanding of the data they’re sourcing. In the online world, however, most e-mail address files are no more than 10 years old, so you also have to look at the technology involved in the acquisition of e-mail addresses. Most, if not all, e-mail list entities obtain a time, date and IP address stamp for each e-mail address they collect, and make this information part of their data source file, says Isaacson.

This is the kind of data verification that brokers need to obtain when searching for lists and data for their clients’ marketing campaigns, says Susan Pearce, vice president, lists and data, at Harte-Hanks, a direct marketing services company with headquarters in San Antonio. Mailers should work with brokers they can trust to do this legwork; one sign of a good broker, she says.

Another best practice is not to acquire more data than you need, especially sensitive data like social security numbers or credit card numbers. Why deal with the liability attached to this kind of data unless you have to, Mastria remarks. If you do use personally identifiable data for marketing purposes, make sure you have training procedures on security/privacy in place for anyone in your company who might come into contact with this information.

Data Usage
When it comes to data usage, an important step every marketer should be taking is to honor consumer requests to stop receiving postal mail, e-mail, phone calls and faxes; suppression also should be granted to those who do not want their data shared with outside parties under any circumstances. In addition to being regulated by a mix of federal and state laws—such as the Can Spam Act, for one—the deployment of an in-house suppression file is a condition of membership in the Direct Marketing Association (DMA).

A corollary to the subject of sourcing involves intelligent use of information on prospects and customers in your marketing efforts. One of the data issues of particular concern to Mastria is the existence of records on marketers’ files that either can’t be attributed to a source or that came from the Web but the original source driving the online response—e.g., direct mail, television—cannot be traced. In these instances, there is a danger to treating these respondents as part of the overall housefile, he explains, since you don’t know enough about them to develop a relevant contact strategy. In addition, your list rental clients won’t have much to go on for their marketing efforts, either. Implementing a sound matchback process is critical to identifying these unknowns in your promotions process so you can better determine how to engage them in the larger direct marketing process, Mastria states. Otherwise, he emphasizes, the industry is going to continue to see declining response rates due to ineffective marketing communications.

Data Transfer
Obviously, all parties in the data supply chain need to exert considerable effort to stay in line with state and federal legislation when sharing information. But what about industry self-regulation?

Harte-Hanks’ Pearce finds the list industry a changed business today. In the past, list rentals or exchanges might have taken place via a verbal agreement between companies that had a high trust level. Now, more contracts are used—and they’re reviewed by firms’ privacy and/or legal departments before being signed by employees who are responsible for their companies’ data policies, she says.

This diligence also is being applied to the inspection of mail pieces, telemarketing scripts and other direct marketing creative that marketers intend to send to the lists being requested for rental. Pearce notes the entire contents of such campaigns are being scrutinized to ensure all information is legal and appropriate for the audience. Even data compilers are asking for this information from their rental clients, she adds.

While this increasing adherence to rental clearance and data security best practices is heartening, Pearce hopes to see the list industry be more consistent as a group in following these processes and DMA guidelines. “We realize that if we don’t step up to the plate, we will face more legislation that might not be in the best interests of the consumer.”

Beyond Compliance
To better serve the public, experts agree that marketers must spend more time contemplating how data is used in the marketing process and what impact their decisions have on the world at large. “As marketers and custodians of data, we need to take the onus that data security is fundamental not only to our businesses but to the trust of the end customer,” says Mastria.

Companies that are leading the way in data best practices set their own high standards and then do business only with companies that offer similar levels of security and privacy protection, Isaacson notes. To develop these standards, companies can bring in an outside data security auditing firm to scrutinize their procedures, he explains, or at the very least, they should have a security professional—on-staff or outsourced—review their relationships and contracts.

And don’t forget the tools developed by the DMA. Mastria, who served for several years as the association’s vice president of media and public relations, mentions a few guides and checklists that can help member companies get a handle on this topic:

* Do the Right Thing—takes the DMA’s member guidelines on regulatory issues and translates them into commonsense advice.

* Privacy Checklist—provides a comprehensive approach to data collection, usage and transfer.

* DMA Guidance: Screening Offers Before List Rental—also available to non-members, this advisory was developed with input from the Federal Trade Commission.

Considering that more than a few data security bills are up for congressional review, what can direct marketers do to anticipate the future? Isaacson, who two months ago was named co-chair of the DMA’s new Data Stewardship Council, sums up the issue: “If you follow your own data privacy people’s view of best practices for data stewardship and DMA guidelines, then you should be adhering to a standard that should govern all your business operations—whether or not there’s a pending law. Most laws don’t look at best practices, they look at common practices. If you’re looking at best practices, then you should be in a good position.”