ICO fines – this time it’s personal

If you’re a company director, it’s safe to say you’ve heard about the new data protection laws. Wearing my legal advice hat, I will tell you about the many, many obligations and mandatory business procedures you need in place to avoid those possible maximum fines of €20 million (or 4% of your company’s annual turnover, if that’s higher) for your company.

Other business advisors might tell you the GDPR is just another risk to be managed. You might expect this kind of reactionary approach to data protection to go something like this: a breach of the legislation is found and identified, a fine is issued, your insurers swoop in, your premiums rise and the data protection fault is resolved. Business carries on.

When expressed so nonchalantly, it’s easy to see why not every board of directors is taking GDPR seriously, despite warnings from their lawyers and data protection officers.

As of the 17th December 2018, however, the Information Commissioner has a new string to her bow, which alters this laissez-faire landscape somewhat.

Nuisance marketing

Of the enforcement actions taken, and published on the ICO’s website so we can have no excuse of ignorance, there is a distinct trend of data controllers being fined for nuisance marketing. This is the result of the ICO’s continuing investigation into nuisance calls and messages, one of the key consumer concerns when it comes to use of our personal data.

Throughout October last year, the ICO was investigating 103 separate cases of nuisance marketing, after receiving almost 16,000 complaints, and as a result issued a number of enforcement action notifications.

Personal liability

Marketing is governed not only by data protection laws, but by the Privacy and Electronic Communications Regulation (PECR). In an expansion to the ICO’s powers, an amendment to this law came into force last month. This amendment allows directors to be found personally liable for contraventions their company makes of these marketing regulations.

Where a company is found to have breached PECR, which in most cases will mean it is guilty of unsolicited or nuisance emails, texts or telephone calls, a responsible “director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity”, may now be fined up to £500,000 in addition to any fine the company may have received. This director’s liability for breach of PECR applies to individuals who may since have left the company or resigned.

The new powers are hoped to prevent perpetrators of wilful or negligent contraventions escaping penalisation by placing the fined company into liquidation.

This supports the message the ICO have been putting out recently, around the importance of board buy in. The ICO has made it clear that when complaints are investigated, or breaches are reported, they will be taking into consideration board awareness, accountability and engagement in data protection. So if you are of the pro-active school of thought, you may find a greater element of leniency and cooperation from the ICO should an enforcement notification be headed your way.

To learn more or for help with data protection, GDPR compliance or any IT legal issues, email [email protected] or call 0191 211 7777.