7 Secure
In full:Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or
damage to, personal data.
This guideline places a legal imperative on organisations to prevent unauthorised inter-
nal or external access to information and also its modification or destruction. Of course,
most organisations would want to do this anyway since the information has value to their
organisation.
Of course, the cost of security measures will vary according to the level of security
required. The Act allows for this through this provision:(i) Taking into account the state of technological development at any time and the cost of
implementing any measures, the measures must ensure a level of security appropriate to:
(a) the harm that might result from a breach of security; and (b) the nature of the data to be
protected. (ii) The data controller must take reasonable steps to ensure the reliability of
staff having access to the personal data.8 Not transferred to countries without adequate protection
In full:Personal data shall not be transferred to a country or territory outside the European
Economic Area, unless that country or territory ensures an adequate level of protection of
the rights and freedoms of data subjects in relation to the processing of personal data.Transfer of data beyond Europe is likely for multinational companies. This principle
prevents export of data to countries that do not have sound data processing laws. If the
transfer is required in concluding a sale or contract or if the data subject agrees to it,
then transfer is legal.Anti-spam legislation
Laws have been enacted in different countries to protect individual privacy and with the
intention of reducing spamor unsolicited commercial e-mail (UCE). Originally, the best-
known ‘spam’ was tinned meat (a contraction of ‘spiced ham’), but a modern version of
this acronym is ‘sending persistent annoying e-mail’. Spammers rely on sending out mil-
lions of e-mails in the hope that even if there is only a 0.01% response they may make
some money, if not get rich.
Anti-spam laws do not mean that e-mail cannot be used as a marketing tool. As
explained below, opt-in is the key to successful e-mail marketing. Before starting an
e-mail dialogue with customers, according to European and American law and in many
countries in the Asia–Pacific region, companies must ask customers to provide their
e-mail address and then give them the option of ‘opting into’ further communications.
Ideally they should proactively opt in by checking a box. E-mail lists can also be purchased
where customers have opted in to receive e-mail. Data held about individuals are com-
monly used for marketing products to potential or existing customers through e-mail.
Legal opt-in e-mail addresses and customer profile information are available for pur-
chase or rental from a database traditionally known by marketers as a cold list, so called
because the company that purchases the data from a third party does not know you.
Your name will also potentially be stored on an opt-in house listwithin companies you
have purchased from where you have given your consent to be contacted by the com-
pany or given additional consent to be contacted by its partners.CHAPTER 3· THE INTERNET MACRO-ENVIRONMENT
Spam
Unsolicited e-mail
(usually bulk-mailed
and untargeted).
Cold list
Data about individuals
that are rented or sold
by a third party.
House list
Data about existing
customers used to
market products to
encourage future
purchase.