And so we hear about more data protection breaches… the Information Commissioner’s Office (ICO) doesn’t seem to be relaxing the reins on GDPR enforcement anytime soon! Alongside the various big brands who have recently been in the headlines for their various data protection slip-ups, Brexit and its accompanying campaigns continue to loom large in the shadows.
Leave.EU’s suspected data breach
This month it was announced that the ICO is ready to fine Leave.EU, and a related insurance company, for breaching data protection rules. Leave.EU was one of the pro-Brexit campaign groups during the 2016 referendum, and was run by Nigel Farage. There were more than one million emails sent to Leave.EU subscribers, which contained marketing materials for Eldon Insurance. Eldon Insurance is owned by Arron Banks, who donated £8 million to Leave.EU. The ICO has been investigating “an abundance of claims and allegations” that the public’s rights to privacy were disregarded as a result of this marketing campaign, in what has reportedly been an extremely complex data protection investigation. When asked about the matter, Banks said “Gosh, we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?” This appears to be part of the allegation by the ICO that there had been a “disregard for voters’ personal privacy”.
The ICO fine
The fine is reported to be £135,000. Remember – if this investigation had related to an event that happened under the new GDPR rules (i.e. it had occurred after May 2018), the fine could have been up to EUR 20 million or 4% of annual turnover. The ICO also looked into whether the Vote Leave campaign (the official leave campaign for the referendum) had processed the personal data of UK citizens in Canada. The Vote Leave campaign worked with Canadian analytics firm AIQ. The ICO found no evidence of any personal data breach relating to the processing of data in Canada. However, the ICO is continuing to investigate how the Vote Leave campaign delivered electronic marketing communications during the campaign, and whether they breached data protection rules in this respect. And in terms of the Remain side of the referendum campaign, the ICO is also investigating whether there were any personal data breaches. In particular, the ICO is looking into Britain Stronger and a linked data broker, and whether there had been “inadequate third-party consents”.
Takeaways for business owners
This is yet another reminder that the ICO will be continuing to firmly enforce the new GDPR rules, and that businesses need to ensure they are up to speed with the requirements. In terms of marketing communications (the main privacy issue arising from the referendum campaigns), it’s important to remember the following: You need permission to contact a prospect or a customer. You cannot assume they want to be contacted. Consent must be “freely given, specific, informed and unambiguous” A pre-ticked box that automatically opts individuals into a marketing list doesn’t pass the GDPR test – individuals have to actively tick the box to be contacted It is your responsibility to make sure that individuals can easily access their data and that their data can easily be deleted if they ask for this to be done (known as ‘the right to be forgotten’) Make sure you only collect the data you actually need. You must have a legal basis to justify the processing of the personal data you collect. Don’t gather more data than you need ‘just in case’ you might need it at a later date. It is imperative to ensure that you comply with all of the points above in order to be compliant with GDPR. Remember that the scale of the fines makes non-compliance not an option. If you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist. The author of this article is expert LawBrief Barbara Jamieson. For further GDPR legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team. Journey further…GDPR Products and ServicesLawBite GDPR Rescue Package
Even several years after the introduction of the General Data Protection Regulations (GDPR) in 2018, there is still a lack of understanding about h...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.
Lawbit Limited (trading as LawBite)
Correspondence Address: Studio 403, 332 Ladbroke Grove, London W10 5AD
Registered Address: 39 Long Acre, London, England, WC2E 9LG
Our lawyers provide legal advice working through Lawbriefs Ltd.
Lawbriefs Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 622808)