GDPR is here to stay
Well, all those annoying e-mails asking us to give consent have stopped. But GDPR remains. The Information Commissioner’s Office (ICO) has been quite busy, though all of the cases where they have reported outcomes that include fines relate to incidents that occurred before the new rules came into force. We have no benchmark yet to know how tough the new fines regime will actually be. We can expect the 4% of global turnover or £20m to be used in extreme cases only, but until the fines start we can’t be sure.
Some of the recent GDPR cases that have been reported:
Most readers will have heard about Cambridge Data Analytics and their use of data from Facebook, but in another case Lifecycle Marketing (Mother and Baby) Limited (trading as Emma’s Diary) supplied data about mothers with children under 5 to Experian, knowing that Experian were acting on behalf of the Labour Party. Lifecycle Marketing had obtained the data from contact forms (both online and offline) which contained privacy statements which give extensive detail about how and where data could be shared. There was no reference to the data being shared for political purposes or that it might be shared with political parties. The result of this breach is that Emma’s Diary was fined £140,000 (2% of their turnover). The offence took place in the run up to the 2017 General Election so the fine was levied under the old rules.
The key lesson here is that when processing (or sharing) personal data on the basis of consent make sure you know what the data subjects have consented to and that your processing (or sharing) is in line with that consent. If in doubt – don’t!
In many cases the issue is not about what the data controller or processor did but more about what they did not do with respect to ensuring the data was secure. On 28th September Bupa Insurance Services Ltd was fined £175,000 for failing to take appropriate steps to prevent a member of staff from selling customer data on the dark web.
Individuals can also be prosecuted under data protection law. For example, on 24th September a former NHS hospital nurse was fined a total of £800 (including costs) for inappropriately accessing patient data beyond the scope of what was needed for her role.
One area that is very important to companies engaged in direct marketing is to avoid making nuisance calls. It is not surprising that the number of complaints made to the ICO has increased since GDPR Day. In the lead up to May 25th and in the days immediately following, the general public were made much more aware of their rights. The number of complaints about nuisance calls rose by 9% in July. The most recent fine in this area is one for £150,000 for Oaklands Assist UK Limited – a fairly new company formed in 2016. The fine was for making nuisance calls and failing to check against TPS. The case dates from August 2017 so is before GDPR rules came in. However, the Privacy and Electronic Communications Regulations (PECR) on which the complaints were based, remain in force alongside GDPR.
Outsourcing? You still have responsibility as a data controller
Remember that if you outsource your telemarketing you, as data controller, have a responsibility to ensure that the data processor acting on your behalf is operating within the law. At Steadcross we check all numbers against TPS and CTPS when we build a new list and every 28 days until the campaign has concluded.
The information in this article represents a summary of our view of GDPR and is not intended as detailed guidance or advice. If you have questions about how GDPR affects your business please speak to your own legal advisers.
Author: Ian Roberts is the Director of Steadcross Solutions Limited, which offers various business development and consultancy services under the Steadcross brand.