Big Data or Big Confusion: Understand the data rules

Many companies do not know the rules on how to process data collected on the Internet. This is often what Heidi Steen Jensen, certified IT attorney, experiences when advising companies. Get an overview of the three sets of rules and find useful links.

Data on customers' Internet behaviour, calls to call centres, online purchases and digital newsletters: Within the last few years, the amount of online data available to companies has become enormous. And the new methods for analysing the data make the data more accessible for commercial exploitation. But many companies do not comply with the rules within this area.

- Many companies spend very little time getting to know the rules on personal data and cookies. And the rules are frequently violated, simply because the companies do not know how to comply with the rules, says Heidi Steen Jensen, expert in online marketing.

When advising companies, she has one simple mantra:
- The companies should do what they say they do. And what they do must be based on legislation.
Below are the three sets of rules to know when collecting Big Data.

WHEN COLLECTING ANONYMOUS DATA: THE EXECUTIVE ORDER ON COOKIES

A cookie is a small data file saved locally on the computer, smart phone or tablet for the purpose of obtaining data on the user. The Executive Order on cookies lays down the framework of what your company may and may not do when collecting data by means of cookies.

Three useful tips on cookies

1. Know your cookies.
You must know the cookies used on your website and the type of cookie. You must be in control of both first-party cookies set by your own website and third-party cookies set by third parties, where this third party or others obtain access to the data collected.

2. You must inform the user of the purpose of the cookies used on your website.
The user must be informed about the purpose of all cookies set by your website. This information must be provided on the website's front page and link to the underlying description.

3. You must obtain the user's consent.

The user must give his consent to cookies being stored on the computer, smart phone or tablet.
The Danish Business Authority supervising the cookie rules and Heidi Steen Jensen recommend that companies follow the Business Authority's guidelines for the Executive Order, which contain examples of how to comply with the Cookie Act.

For more information on the Business Authority's guidelines (in Danish).

WHEN COLLECTING PERSONAL DATA: THE ACT ON PROCESSING OF PERSONAL DATA

If you can identify a physical person in the data collected, the Act on Processing of Personal Data applies. This involves all data whether collected digitally or on paper. Personal data may e.g. be a name, an e-mail address or an IP address. The purpose of the Act is to protect the person whose data is processed against abuse or disclosure. The Act is far more restrictive than the Executive Order on cookies.

Three useful tips on personal data

1. Know your data.
Different rules apply depending on the data's sensitivity. The Act classifies personal data into three types:
•    Sensitive data
•    Data on purely private matters
•    General non-sensitive data

2. The user is entitled to obtain insight.
All users are entitled to know what data the company stores and to object to certain processing of the data.

3. Be in control of the data security.
Unauthorised persons must not have access to the personal data.

The Data Protection Agency published a pamphlet on the Act when this came into force on 1 July 2000 (in Danish).

WHEN CONVERTING DATA INTO COMMUNICATION: SECTION 6 OF THE MARKETING PRACTICES ACT

Section 6 of the Marketing Practices Act limits the companies' possibility of sending advertising material.

According to section 6, companies are not allowed to send electronic advertising or e-mails to customers or potential customers unless they have given their consent.

Three useful tips on electronic messages

1. Never send newsletters or advertising material by e-mail or in a text message without prior consent.

2. The consent must be informed and specified.

It must appear which communication form the consent covers (e.g. e-mail or physical marketing by post), the product marketed, and what type of advertising the user will receive.
3. It must be easy and free of charge for the user to opt out of messages from your company.

Read more in the guidelines on spam of the consumer ombudsman (in Danish).