The ICO has recently issued its largest ever fine for nuisance calls. After being found to have ‘recklessly’ broken marketing call regulations, Home Energy & Lifestyle were fined £200,000. The company made 6 million automated calls offering ‘free solar panels,’ but the ICO ruled it didn’t have permission to make the calls. Lead generation company; Oxygen Ltd has been fined £120,000 for an automated message targeting more than one million people without their consent.
The proliferation of complaints about nuisance calls has led to the growth of companies offering services to prevent such calls. Ironically, some of these companies are themselves falling foul of the rules. The ICO fined Chichester-based Cold Call Elimination Ltd £75,000 for making unsolicited marketing calls to sell cold-call blocking devices. Similarly Point One Marketing Ltd (trading as ‘Stop the Calls’) was fined after it too was found to have made a substantial number of similar nuisance calls.
Second only to the outcry over unwanted calls are complaints about unwanted text messages. Following an ICO investigation, Swansea-based Help Direct UK Ltd was fined £200,000 for sending thousands of unsolicited marketing text messages about PPI, bank refunds and loads in a campaign that generated nearly 7,000 complaints.
Ensuring data has correct permissioning is crucial for companies not wishing to breach the DPA. An ICO investigation revealed the online pharmacy ‘Pharmacy2U’ sold 20,000 customers names and addresses through an online marketing List Company. It hadn’t informed customers of this intention, nor had the customers given their consent. The result was a fine of £130,000.
The ICO has also been focusing on lost data. Last year laptops containing sensitive police victim and witness interviews were stolen. They were being kept in a flat used as a studio when it was burgled. The laptops were password-protected but the data wasn’t encrypted. Following a lengthy investigation, this data breach resulted in a £200,000 fine for Crown Prosecution Service. The Money Shop also received a penalty of £180,000 for loss of computer equipment containing a ‘significant amount’ of customer details.
Incidents such as these lend weight to the argument that data controllers require solid, effective processes to identify and mitigate these problems occurring in the first place.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.