In the first part of this series, we looked at where to find out more information about GDPR in the UK (hint: The ICO.gov website has everything you need). In the second part, we looked at some historical enforcement action by the ICO against companies who had made a mistake with their security and data that they were responsible for. In the third part, we again looked at some different angles of opsec which have caused issues such as physical access to a server room not monitored by CCTV and how it led the RSA to a £150,000 fine. Finally, in part 3 we looked at Keurboom Communications Ltd who deliberately used the data they had to make almost 100 million phone calls to sell PPI or accident handling – I am sure anyone who has a UK number would have received some of these, I know I certainly did and ended up getting so many at one point I changed my phone number.
In this part, we will change to look at how companies have mishandled the data they have, not regarding poor operational security but regarding how they used the data in ways they were not authorised to do. This is just as important as the previous areas of data handling we looked at, and as we have seen with Keurboom and their £400,000 fine, the ICO doesn’t treat this as any less important than losing data because of poor security.
Moneysupermarket.com Ltd (MSC LTD)
https://ico.org.uk/media/action-weve-taken/mpns/2014482/mpn-moneysuperma...
One individual had told the Moneysupermarket.com that they did not want to receive marketing emails.
In December 2016, Moneysupermarket.com sent an email to someone saying that they had updated their terms and conditions and highlighted that they had refreshed their privacy policy. The email included this section (copied from the enforcement action):
“We hold an e-mail address for you which means we could be sending your personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails”. This was followed by a large ‘click link’ box entitled ‘Go To Preferences’”
This one individual complained to the ICO because they said
you can’t use their data to ask them if you can use their data.
because the email asking for consent to future marketing messages was itself sent for direct marketing.
Moneysupermarket.com explained that they had sent the email 7,127,415 times (only 6,788,496 were received). Sidenote: In all these cases of sending emails the people being fined always include the “we sent x, but only y were ever received”, if I was the ICO I would ignore that as they had attempted to send the larger amount and the intent was that they would be received but I don’t work for the ICO so ho-hum.
Every customer who received that email had previously opted our of receiving direct marketing emails. Moneysupermarket.com could not provide any evidence the recipients of those emails had consented to receive the messages.
The ICO felt that it was a deliberate contravention of regulation 22. The enforcement action again highlights the ICO’s guidance that it gives out for free (I can’t stress this enough, if the ICO have it in their documentation you better know and action it).
Outcome: £80,000 from one complaint.
Honda Motor Europe Limited t/a Honda (U.K.)
https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe...
Honda has a list of 343,093 users on its list but no opt-in or opt-out information so they sent them all an email asking if they would like to hear from Honda, do you want to opt-in or opt-out. As with the Moneysupermarket.com, a single complaint to the ICO kicked off an investigation. The details of this one really are interesting.
Honda was collecting email addresses from lots of sources including their dealerships who were separate legal entities (important) and Honda had a web site for dealerships to enter in the details of users who consented to marketing but there was a problem with the site, instead of validation on the “Person accepts marketing gumpf” field, some dealers left it blank, some put in an X and some put in emoji poo’s (I made the last one up) so Honda had all these peoples contact details and didn’t know if they could market to them or not.
Honda said it sent the emails, not as a marketing activity but as a service email to ensure they were maintaining compliance with the data protection principles. They stated that they would only keep people who positively replied on their marketing lists and removed everyone else.
Outcome: £13,000.
This was interesting and the thing it really shows that if you make a mistake and can’t provide evidence of consent, then you may as well delete the data you have as you can’t use it.
This case wasn’t helped by Honda continuing to send emails after the ICO had warned them and Honda only stopped when the ICO told them to cease sending the emails.
If you are thinking that you will start contacting people to get their consent before GDPR comes in and you haven’t already got that consent and can provide the evidence to the ICO should a complaint be made then you should expect a fine.
Macmillan Cancer Support
I will end this part by moving away from corporations whose goal is to make money to two charities with the same goal of making money but instead of profit for shareholders, to do some good in the world. Around the end of 2015, beginning of 2016 there was a raft of enforcement action against charities because of media attention at the time.
Because of the nature of charities, the fines are smaller but still significant.
Macmillian had data on and had consent to market to a large number of its supporters, but they did two things. In 2009 and 2014 they used the services of a wealth screening company to find wealthy or high-value individuals amongst Macmillan’s donors. The wealth analysis was not in Macmillan’s privacy policy at the time so individuals could not have consented to it.
The second thing was that they did some telematching which involves trying to match individuals to telephone numbers so they can be called. Macmillan’s privacy policy did not state that it did telematching, so again users could not have consented to it.
Outcome: £14,000
, there are lots of mitigating features here and if this had not been a charity expect this to have been higher. Consent and only using the data in ways which had been consented to are so important.
Battersea Dog's and Cats Home
Finishing off this retrospective of previous ICO enforcements we have the Battersea dogs and cats home, it is timely as I am on the train literally going past right now.
In 2015 charities were in the media about their use of data so the ICO got in touch to see what it was doing with data, this wasn't in response to a specific incident they just decided to get in touch and have a poke about.
Between 2010 and 2015 BDCH (Battersea Dog's and Cat's home) passed 740,181 records to a third party to telematch the users with a phone number. They managed to match 385,709 records and 229,476 were contacted.
The BDCH's privacy notice did not say that they would do any telematching.
Outcome: £9,000 fine.
So there you have it, that is my selection of favorite previous ICO enforcements, I hope they have given a range of views about what it is the ICO may choose to do in terms of fines. The bottom line is to start preparing for GDPR and if you do know about any breech probably notify them now rather than let the term of the issue stretch into the GDPR timeframe where the fines could be a lot heavier.
I hope you have enjoyed this, if you are unsure where to start then re-read the first part and there are plenty of people out there looking to cash in on GDPR so I am sure you will be able to find someone 🙂
The previous parts are available:
Part one is: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/GDPR-Panic-Part-1
Part two is: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/GDPR-Panic-Part-2
Part three: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/gdpr-panic-part-3