ICO Questionnaire Simplified
In light of recent cases such as Optical Express v Information Commissioner (EA/2015/0014) and Pharmacy2U Ltd, the ICO is having a crackdown on people who are potentially breaking the law when sharing data.
In light of recent cases such as Optical Express v Information Commissioner (EA/2015/0014) and Pharmacy2U Ltd, the ICO is having a crackdown on people who are potentially breaking the law when sharing data.
Over 1000 organisations have been asked by the ICO about various aspects of their business. At Media Bowl we have had the questionnaire. It consists of 15 questions ranging from providing
- A full description of the data that you trade or share with other organisations;
- A full description of the consents that you rely on when buying, selling, sharing or renting personal data;
- Does your organisation engage in any information relationship where data is shared via a common database with multiple other organisations.
Hours of fun for any data controller.
Question 9 is
“Full details of the records that are retained in order to enable your organization to comply with individuals’ rights under the Act. This would cover the information required for you to comply with the subject access requests, and also section 11 suppression requests. “
People who contact us with subject access requests always want to know where we got their details from, to who we have passed the details on and how to get removed from the list.
Back in early days, this could have been hours of work. A data broker may have over 100 suppliers and pass on details to over 100 clients. Searching through a database or a bunch of CSV files could take a while.
Fortunately, we use Databowl which stores all this information automatically. It processes the leads and then stores the results in an archive. If a contact phones up or writes in, we can tell them exactly the time and date they opted in, where and who their details have been passed on to.
Section 11 suppression requests are easy to process as the system maintains a suppression list ensuring that people who have requested to be removed are no longer contacted. Some companies merely delete the contact which is the wrong thing to do as there is no way to make sure the contact is not put back on the database.
Having a robust system such as Databowl makes compliance a breeze. You know exactly where your complaints are coming from and can stop using bad suppliers if complaints get excessive.
If you are struggling with compliance or subject access requests, investing in a lead management platform such as Databowl could save you hours of headaches. Get in touch if you want to find out more or have a demo.
Ben Luong, Data Controller for Media Bowl Ltd and Business Officer for Databowl Ltd