CRM: Don't forget about privacy

Ed. note: Do you have legal questions related to IT you want answered? Email them to editorial@silicon.com and we'll consider them for inclusion in future 'Ask the Lawyer' columns.

In his debut column for silicon.com Olswang partner Simon Briskman examines the legal issues involved in data privacy for CRM systems.

Purchasing a customer relationship management (CRM) system is a complex and high profile corporate activity. Companies must address the business case, systems implementation challenges and change management issues. Against this background, it is unsurprising that customer privacy concerns often take a back seat role.

Yet some major corporations do take the privacy issue seriously because of legal compliance requirements and corporate governance repercussions - and because consumer privacy has become a customer relationship issue in itself. Customers often cite unsolicited telephone calls, sale of mailing lists and unsolicited emails as their top information privacy concerns.

In an effort to win trust from customers, IBM, Microsoft, HP and many other major players in the technology industry have appointed chief privacy officers (CPOs). Surprisingly European companies have been less quick to follow the US example. This is despite Europe's far more protective, pro-consumer data protection laws.

The European legislation calls for a transparent and consent-based approach to handling personal data, whatever the purpose. The US regulation avoids blanket legislation but addresses some privacy concerns with focused laws (for instance aimed at the banking sector, or currently, cutting out spam). Without EC-style government intervention, US companies have often self-regulated, appointing CPOs in response to the customer trust issue. Since US law is so different, it is worth examining the European regime and whether European Community law imposes too tough a burden on business.

The roots of European data protection law lie in the European Convention of Human Rights. The Convention aims to find a balance between the privacy of individuals and freedom of expression, including the economic rights of companies to market.

By the 1970s many thinkers had a concern about government and corporations building massive data warehouses monitoring every aspect of an individual's life and tracking and analysing that person's every step. How far sighted these politicians and academics were. Modern data mining allows CRM systems to make complex assessments of an individual's likely interest in a product or the chances they will default on their credit card.

By the 1980s many EC states (notably Germany and the UK) had data protection laws designed to protect citizens' privacy. The EC felt it needed to regulate to ensure that there were similar rules in every country in the EU, so as to allow free movement of data across Europe. This move was both pro-consumer and pro-trade. EC law therefore evolved to afford some basic protections to individuals concerning how personal data about them is collected and used.

Broadly the law requires companies to identify themselves upfront and make it clear what information they are collecting about individuals and why. For many forms of marketing contact with individuals, consent is required and it is most practical (although not always essential) to ask for consent when the information is collected. Companies may also need consent for data export to areas with weaker data protection than the EU. (This last requirement affects EC-US trade, companies with global operations and offshoring.)

Making sure people are informed and give their consent to the marketing use of their information requires information management across the corporation, from call centres to mailings, website wording and customer guarantee forms.

Once these things are done, companies have to keep data secure, accurate and up-to-date. Then there are requirements for businesses to answer customer queries about data held concerning them and to stop marketing to customers who object. This can be problematic to police in large organisations where many individuals have access to databases and data is used in different ways by separate business groups.

The European rules are certainly complex and may require legal advice or dedicated privacy compliance experts to unravel. In this light, many marketers are still uncomfortable about the European data protection regime. Some of their concerns are well founded. Without sufficient attention the rules are often broken and companies face adverse publicity, loss of customer trust and scrutiny from the regulators. Broaching these problems across major enterprises can require an empowered privacy professional as well as good management systems.

Since the European system adds a burden to business, the American system may seem more attractive. However, at the heart of the matter the European approach attempts to tackle an issue we are all concerned about: customer trust.

Whatever your view on it, there is one lesson Europeans should learn from their American cousins: privacy is a customer relationship issue and demands senior management attention. Perhaps it is time more European companies listened to customers and appointed CPOs.

Simon Briskman is outsourcing and technology partner at law firm Olswang.