Now, there is no place to hide – all companies who trade in personal data for marketing purposes are squarely in the ICO’s spotlight as its crackdown on nuisance calls escalates.
The regulator has identified a thousand companies, whose registration with the ICO indicates their business activities include trading or sharing data. It’s believed these companies play some part in compiling and trading names and telephone numbers for cold calls, and they are receiving letters from the ICO asking them to demonstrate compliance. This sweeping measure comes as the regulator continues to pursue the perpetrators of nuisance calls, which generate 180,000 complaints a year. The ICO hopes this action will enable it to clearly distinguish between good operators and rogue traders.
This far-reaching move may be viewed as draconian, but the ICO says it “has become increasingly concerned about the trade of personal data.” It says data subjects are often unaware their details are being sought for commercial purposes and will be sold on to other companies. Announcing the crackdown Information Commissioner, Christopher Graham, said, “We see clear patterns building up and can identify who would benefit from guidance, and who the truly bad actors are. This enables us to execute search warrants, to drag people before the courts, and to issue fines.” Graham went on to say, “By targeting the illegitimate aspects of the list-broking business that fuels this industry, we have the chance to truly strike down this monster.”
The ICO has requested the targeted companies provide the following information:
• How they comply with the law
• What data they share
• How they get people’s consent to share their data
• A list of all the companies they’ve worked with in the last six months
• How lists are screened against the Telephone Preference Service (TPS)
• What other suppression lists are operated
• Contract terms used when information is sold
There is a further threat of ‘Information Notices’ for those who fail to reply or respond insufficiently. These would legally oblige an organisation to provide the ICO with the required information or face court action.
Should businesses involved in data sharing have seen this coming and been prepared? Stricter rules surrounding consent have been on the horizon, with the forthcoming General Data Protection Regulation. The charity fundraising sector, in particular, has been hit by a swathe of new rules and pressure to adopt opt-in. Combine this with the ICO’s recent focus on nuisance call operators and the warning signs were clear. (Also see – Who is the ICO Fining?)
Even for companies with robust compliance procedures, fulfilling the ICO’s request will be resource intensive. It will require a thorough review and explanation of data collection and sharing processes, focussed on ensuring transparency for data subjects. A comprehensive response will be critical to avert the ICO’s gaze.
11 December 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.