The DMA' s Updated Compliance Process FAQ
20 Oct 2016
The DMA has announced the introduction of an additional compliance audit for all companies that buy and sell data. In line with the DMA’s drive for the highest standards and a responsible approach to data-driven marketing, the audit has been introduced to provide additional assurance to brands and reinforce the importance of only working with DMA member companies.
To help you understand the updated process and how your business might be affected, we’ve prepared some responses to your ‘Frequently asked questions’.
If you have any other questions that we haven’t addressed here, please don’t hesitate to contact a member of your DMA team directly or via legaladvice@dma.org.uk.
What is the updated compliance process?
Every organisation that joins the DMA also goes through a compliance process in order to ensure their practices are in line with the DMA Code. This involves an initial assessment that is reviewed by the DMA’s own compliance team, including any further follow-up required.
The update to this process now means that any business that is classified as buying or selling data will also be asked to go through an external audit that has been designed by the DMA, but will be conducted by an independent third party.
How does the audit process work?
The first stage of the DMA’s compliance process includes an initial questionnaire about the core activities and details of the business. This is reviewed internally by the DMA compliance team and based on this information it decides whether the company will be required to go through the external audit process or not. This is defined by whether a business is deemed to buy or sell data.
It is recommended that any business that’s asked to go through the external process complete an initial DMA compliance questionnaire that will cover issues such as training, disaster recovery, data security and outsourcer/affiliate management. This is to help companies ensure they have the right information to hand and anything gathered in the DMA’s questionnaire will be supplied to the external auditor to assist them in their process.
Upon completion of the initial questionnaire, the applicant will be asked to progress to the second stage of the process, the external audit. The external audit will apply specifically to the buying and management of data, for example, when and where was the data collected, the appropriate opt-in statement and privacy policy, TPS screening procedures, other suppressions, website forms, telephone scripts, and similar activities.
The external audit process is designed and owned by the DMA, but executed by an independent third party auditor. The use of an external third party to conduct the audit ensures the process is independent while utilising the specialist knowledge that the auditor can offer. The applicant company will liaise directly with the external auditor to achieve the certification. The auditor will charge the audit fee and any related travel costs or additional expenses directly to the applicant. Upon successful completion of the audit, the applicant will send the certificate of completion to the DMA compliance team and upon payment of the DMA membership fee, DMA membership will be confirmed.
Why use an external/third party auditor?
The external audit process is designed and owned by the DMA, but executed by an independent third party auditor. The use of an external third party to conduct the audit ensures the process is independent while utilising the in-depth specialist knowledge that the auditor can offer. The DMA’s compliance team will continue to conduct the initial compliance assessment and work with the external auditor on any further follow-up required.
How do I know if I have to go through the external audit?
If you’re an existing member, speak to your DMA account manager or a member of the compliance team, who will be able to confirm whether you will be required to go through the external audit process.
If you’re a new member, speak to one of the DMA’s new business team who will be able to discuss the questionnaire with you and whether you would be asked to go through the additional audit process as part of joining the DMA.
When will I have to have completed my audit?
New members categorised as buying or selling data will have to successfully pass the external audit process before becoming a DMA member.
Existing DMA members will be notified at least 3 months in advance of their renewal date, indicating whether they will need to complete the additional audit process in order to renew their membership. They will then be expected to have concluded the process before their renewal date.
How often will my business have to take the audit?
Once a company has successfully passed the external compliance audit they will also be asked to submit an online questionnaire annually to ensure there are no significant changes to the way the business operates. If there have been significant changes to the business or after three years the business will be asked to renew its external compliance audit again.
Who is the external auditor?
At launch, the DMA has partnered with DQM GRC to conduct these audits and is looking to add other auditors to the roster in due course. The audit currently available from DQM GRC costs £1,950, plus any travel costs or additional expenses incurred. The auditor will liaise directly with the applicant company to charge these fees.