And so we hear about more data protection breaches… the Information Commissioner’s Office (ICO) doesn’t seem to be relaxing the reins on GDPR enforcement anytime soon! Alongside the various big brands who have recently been in the headlines for their various data protection slip-ups, Brexit and its accompanying campaigns continue to loom large in the shadows.
Leave.EU’s suspected data breach
This month it was announced that the ICO is ready to fine Leave.EU, and a related insurance company, for breaching data protection rules.
Leave.EU was one of the pro-Brexit campaign groups during the 2016 referendum, and was run by Nigel Farage. There were more than one million emails sent to Leave.EU subscribers, which contained marketing materials for Eldon Insurance. Eldon Insurance is owned by Arron Banks, who donated £8 million to Leave.EU.
The ICO has been investigating “an abundance of claims and allegations” that the public’s rights to privacy were disregarded as a result of this marketing campaign, in what has reportedly been an extremely complex data protection investigation.
When asked about the matter, Banks said “Gosh, we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?” This appears to be part of the allegation by the ICO that there had been a “disregard for voters’ personal privacy”.
The ICO fine
The fine is reported to be £135,000. Remember – if this investigation had related to an event that happened under the new GDPR rules (i.e. it had occurred after May 2018), the fine could have been up to EUR 20 million or 4% of annual turnover.
The ICO also looked into whether the Vote Leave campaign (the official leave campaign for the referendum) had processed the personal data of UK citizens in Canada. The Vote Leave campaign worked with Canadian analytics firm AIQ. The ICO found no evidence of any personal data breach relating to the processing of data in Canada. However, the ICO is continuing to investigate how the Vote Leave campaign delivered electronic marketing communications during the campaign, and whether they breached data protection rules in this respect.
And in terms of the Remain side of the referendum campaign, the ICO is also investigating whether there were any personal data breaches. In particular, the ICO is looking into Britain Stronger and a linked data broker, and whether there had been “inadequate third-party consents”.
Takeaways for business owners
This is yet another reminder that the ICO will be continuing to firmly enforce the new GDPR rules, and that businesses need to ensure they are up to speed with the requirements.
In terms of marketing communications (the main privacy issue arising from the referendum campaigns), it’s important to remember the following:
You need permission to contact a prospect or a customer. You cannot assume they want to be contacted. Consent must be “freely given, specific, informed and unambiguous”
A pre-ticked box that automatically opts individuals into a marketing list doesn’t pass the GDPR test – individuals have to actively tick the box to be contacted
It is your responsibility to make sure that individuals can easily access their data and that their data can easily be deleted if they ask for this to be done (known as ‘the right to be forgotten’)
Make sure you only collect the data you actually need. You must have a legal basis to justify the processing of the personal data you collect. Don’t gather more data than you need ‘just in case’ you might need it at a later date.
It is imperative to ensure that you comply with all of the points above in order to be compliant with GDPR. Remember that the scale of the fines makes non-compliance not an option. If you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.
The author of this article is expert LawBrief Barbara Jamieson. For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.