Lessons learned from the ICO’s annual report- It is all in the numbers
The ICO released its annual report recently, which includes figures on its enforcement activities during the previous year. So what do the figures tell us?… Read more
The ICO released its annual report recently, which includes figures on its enforcement activities during the previous year. So what do the figures tell us?
Unsolicited direct marketing has been a focus for the ICO for a number of years and last year the total fines issued for breaches of PECR (the law governing direct electronic marketing) surpassed total fines issued for breaches of data protection law. The figures show that ICO enforcement resources are being used to try to change unsolicited marketing behaviours. The ICO issued 23 fines for breaches of direct marketing law totalling £1,923,000 (compared with 16 fines totalling £1,624,500 for breaches of the data protection principles). The key takeaways from this is to make sure you have records of valid marketing consents, document how you meet the soft opt-in criteria (where soft opt-in is being relied upon), listen to and respond quickly to any complaints and opt-out requests.
A draft ePrivacy Regulation governing direct marketing was published in January 2017 and the proposal is for the new law to apply from 25 May 2018 (the same time as the GDPR). This timeline is looking increasingly impossible but businesses should be aware that changes to direct marketing law is in the pipeline, which is likely to involve the higher GDPR standards of consent for direct marketing and GDPR-level fines for non-compliance.
Although fines often grab headlines, the ICO has a number of other enforcement powers, which can result in significant costs, reputational damage and operational disruption when deployed against controllers. Last year, 52 controllers signed undertakings committing their organisation to a particular course of action. Undertakings are not a statutory regulatory power, but the ICO has been using undertakings alongside or instead of fines to improve compliance. Undertakings are usually signed by a senior person in an organisation and can include a commitment to undertake an audit and/or complete a data protection impact assessment. There are often quite short deadlines for compliance with undertakings (typically one – three months) and the ICO follows up to check the undertaking has been adhered to. The ICO has also been increasing its criminal enforcement (criminal cases resulting in prosecutions were up 50% in the last year). The ICO secured 21 convictions, 6 of which were for not registering with the ICO. This tells us that even though controllers will no longer need to register/notify with the ICO once the GDPR starts to apply, the ICO is still enforcing the law in this area (perhaps as an easy stick to use against non-compliant controllers).