The Information Commissioner's Office's (ICO) 'stop now' order to Glasgow-based DC Marketing for calling people on the Telephone Preference Service is an interesting development in the data protection world. It represents a significant change in tack on the part of the UK data protection regulator. All professional services firms undertaking marketing activities must note and take heed. Why?
Well, we know that the ICO has available to it a number of measures – criminal prosecution, non-criminal enforcement, audit and monetary penalty notice – that it can use to ensure that data protection and privacy rules are upheld. While the ICO has successfully served monetary penalty notices in the past, recently, the ICO hasn't been as victorious. For instance, the Upper Tribunal has recently confirmed the Information Rights Tribunal's decision to overturn the £440,000 monetary fine issued to the founders of Tetrus Telecoms over a breach of the UK's Privacy and Electronic Communications Regulations (PECR). It was the first time that the ICO had used its powers to issue fines for unsolicited direct marketing communications under the PECR. Prior to this case, the ICO's monetary penalty to Scottish Borders Council for failing to dispose of employees' pension records in compliance with the security requirements of the Data Protection Act (DPA) was also overturned.
Consequently, it appears that the ICO has started issuing 'enforcement notices' instead, sending a clear message that those organisations found not complying with the law 'will' be taken to task. Organisations mustn't be emboldened by the overturned rulings! And the Telephone Preference Service must be taken seriously by organisations engaged in telemarketing. Breach of an enforcement notice is a criminal offence and can result in prosecution.
Professional services firms must re-focus to ensure that their marketing departments comply with the rules. CRM systems, which many professional services firms already deploy, should be fully exploited in this regard. CRM can make compliance near fool-proof. The discipline allows firms to devise and enforce organisation-wide, transparent and robust data protection policies – those that encompass everything from what personal data to collect, how it must be kept up-to-date, who has the right to access it through to the technical security measures and marketing preference flags.
The majority of data protection breaches take place inadvertently, but the consequences can be severe. It is worth covering your back – the reputational damage is long term and more harmful than any financial penalty. Laxity in the matter is not worth the risk!
This guest blog is authored by Emma Butler, Senior Director Privacy and Data Protection, LexisNexis UK