It is not unusual in organisations for there to multiple systems which are used as repositories for personal data and marketing permissions. This can lead to a disconnect which means that a customer’s refusal of continued direct marketing is not acted upon.
The most common situation relates to email unsubscribes which are often held in an email service provider’s system but may not be reflected on the data controller’s CRM. Inevitably, when data is extracted directly from the CRM for tactical campaigns not using the ESP, marketing emails can be sent to individuals who have unsubscribed.
Also common is the situation where data captured on a website does not feed in to the customer database (and vice versa). So, a consumer could change their marketing permissions on the web site and those details would not show up on the CRM.
In theory, the monetary penalty for sending unsolicited marketing messages could be as high as £500,000 but the ICO has discretion and can match the penalty to the seriousness of the breach. This is evident from the ICO site which shows that they have issued significant penalties for spam texts and nuisance calls. These have been reserved for organisations which clearly have no intention of staying within the law. The ICO reacts to the number of complaints they receive and they have reporting tools for emails, nuisance calls and texts although they do not publish details of the email complaints.
Any complaints from customers would be investigated by the ICO and the company would be asked to justify the basis on which they are sending messages. The fact that a data controller is aware that there is this disconnect between the website/SES records and the database would not look good.
So there is a risk of financial penalty but the reputational risk that the brand runs should not be discounted. Individuals can take action under PECR and privacy activists are always keen to point the finger.
Making sure that suppression requests are adhered to should be a priority for all organisations that want to avoid regulatory action and negative PR.
Published February 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.