Henry Cazalet examines the zero-tolerance approach of the UK’s Information Commissioner, with a 58pc rise in fines issued to rule-breakers.
The Information Commissioner’s Office (ICO) of the UK has the authority to hand out fines of up to £500,000 to companies that break data protection and anti-spam rules.
Since August 2015, it has issued fines of more than £8.7m to UK organisations that have fallen foul of the regulations. During the same period, 104 separate monetary penalty notices have been issued.
In 2017, there was a 58pc increase in fines issued over the previous year, a rise from £2.9m to £4.9m.
With GDPR taking effect from May 2018, it’s more crucial than ever that companies understand their responsibilities regarding the handling of consumer data, and the consequences of failing to do so.
‘Companies who pester the public must understand they won’t get away with it. The ICO will take action’
– STEVE ECKERSLEY
Clearly laying out their zero-tolerance approach to breaches, the head of enforcement at the ICO, Steve Eckersley, commented: “Companies who pester the public must understand they won’t get away with it. The ICO will take action.”
As the fines analysis reveals, the consequences for companies that break the rules can be very serious indeed.
Nuisance calls attract highest fines
Spam phone calls accounted for 46pc (£4,017,000) of all fines issued since August 2015.
Automated calling technology has allowed unscrupulous companies to target people at their home addresses on a massive scale. In May 2017, Keurboom Communications, a company behind a staggering 99.5m nuisance calls, was fined a record £400,000 by the ICO.
“These calls have now stopped but our work has not. We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails,” said Eckersley.
Data breaches attract record number of fines
Data breaches, where companies have failed to protect consumer data adequately, accounted for 34pc (£2,996,501) of all fines issued since August 2015. Data breaches also attracted the largest numbers of fines. A total of 41 companies and organisations were fined, accounting for 39pc of all fines.
In addition to the fine recently handed out to Carphone Warehouse, one of the most notable data breaches was by Talk Talk Telecom in October 2016. TalkTalk was issued with a £400,000 fine for security failings that allowed a cyber-attacker to access the personal data of 155,959 customers and the bank details of 15,656.
Commenting on the case, UK information commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease.”
Financial services sector tops fines chart
Financial services proved to be the worst industry sector for receiving ICO fines. The sector received 24 separate penalties since August 2015, accounting for 23pc of all fines.
Surprisingly, the charity sector was second in terms of the number of monetary penalties issued. 11 fines were handed out, equating to 10.5pc of all fines issued.
Fines were mainly for breaches of data protection where charities were caught sharing donor data with other organisations without the appropriate consent. In many cases, their attempts at bending the rules to their benefit have resulted in an investigation, an enforcement action and a fine.
Average spam fine exceeds £100,000
Fines for SMS breaches topped £100,000, with the average fine being £108,000. By comparison, fines for email spamming were, on average, just over £40,000.
SMS spam is widely viewed as far more intrusive than email spam, so is likely to generate more complaints, resulting in higher fines.
Largely due to the efforts of the ICO, SMS spam has massively reduced in recent years. Not long ago, most of us received multiple texts a month offering payday loans, PPI or accident compensation.
Using third-party data for spamming offers no protection
The fines serve as a powerful lesson to those companies using third-party data for direct marketing, who feel they are immune from prosecution, being one step removed from the process of actually sending email or texts.
‘We say it over again: any business that has instigated a marketing campaign is responsible for the information involved. Businesses need to get it right or we will take action’
– STEVE ECKERSLEY
Companies who purchase email or SMS data from third-party suppliers are responsible for conducting their own due diligence on the data. It is their responsibility to check that the data they are using has the correct ‘opt-in’. It is not acceptable to rely on third-party assurances that use of the data complies with the law. Businesses have to be able to demonstrate that people on the list have given their permission.
In February 2016, credit broker Digitonomy was fined £120,000 for being responsible for millions of texts being sent without proper consent.
“We say it over again: any business that has instigated a marketing campaign is responsible for the information involved. Businesses need to get it right or we will take action,” said Eckersley.
“Depending on the word of another company is simply not acceptable and is not an excuse. Digitonomy is paying a hefty price for not meeting its responsibilities.”
Bleak outlook for spammers
What this data makes clear is that there is no place to hide for organisations that attempt to ignore the rules. The ICO is sending a strong message that any company found to have been involved in illegal activity will be investigated and fined.
The risks strongly outweigh any perceived reward. Ignorance of the rules will offer companies no defence. It is the responsibility of organisations of all sizes to make sure that all their activities remain on the correct side of the law.
This zero-tolerance approach to rule-breaking may mean that spam becomes a thing of the past. We may be heading for a bright new age where our mobiles and inboxes remains spam-free and our junk folder weirdly empty. That would be something we could all look forward to.