Article, Insights, News

Data Protection News Oct 21

The ICO issued £3m of fines in 9 months for unlawful or unsolicited marketing messages. Make sure you adopt best practices in data processing and don’t rely on a change in GDPR rules following Brexit.
October 20 2021

£3m in ICO fines for data misuse - follow our best practice guide

The ICO issued £3m of fines in 9 months for unlawful or unsolicited marketing messages. Make sure you adopt best practices in data processing and don’t rely on a change in GDPR rules following Brexit.

In the first 9 months of 2021, the ICO has issued 20 fines totalling £2,965,000. The key thing to note about the ICO fines this year is that every single one of them is for unlawful or unsolicited marketing messages.

Data processing is high risk, so if you are in the marketing, if you use third parties for marketing or carry out a lot of marketing in-house, follow our best practice guidance:

  • Ensure your marketing activities are adequately documented – are they covered in privacy notices and on your record of processing activities?
  • Ensure that you have clear data retention rules that are enforced.
  • If you are relying on legitimate interests as your lawful basis for marketing, carry out a legitimate interest assessment to ensure that you are taking the risks to the data subjects into account, with your processing
  • If you are relying on consent as your lawful basis, ensure you have a clear audit trail of exactly what individuals have consented to, and that they have a very easy way to withdraw that consent
  • Ensure that personal information is adequately protected from insider and external threats, with controls such as (but not limited to): robust access controls, auditing, secure networks and encryption
  • If third party marketing partners are used, review contracts and data processing agreements with them to ensure the controller / processor relationships are well defined, mandatory clauses are present and that data protection obligations are clearly stated

More Record-Breaking Fines from Europe

There have been another two whopping fines issued from other EU countries in the last quarter:

  1. On the 22nd July 2021, the Luxembourg National Commission for Data Protection (CNPD) issued a fine to Amazon for €746m. By far the biggest fine to date, worldwide – almost double the combined value of every other fine issued! Amazon plans to contest the fine claiming that the penalty is “disproportionate” and based on “subjective and untested interpretations of European privacy law”.
  2. On the 2nd September 2021, The Data Protection Authority of Ireland fined WhatsApp €225 million for flouting EU data rules. The watchdog said WhatsApp had committed “severe” infringements of the general data protection regulation, relating to transparency, and the sharing of user information with other companies owned by Facebook. The Irish Data Protection Commissioner was chosen as the lead Supervisory Authority to represent Europe in this investigation because Facebook and WhatsApp have their European headquarters in Dublin.

Frustratingly, there has been little published about the reasons for the Amazon fine, because the professional secrecy laws of the country mean that details cannot be published until the appeal process is complete. Similarly, WhatsApp has said that the fine is “entirely disproportionate” and said it will appeal the ruling.

Changing of the Guard at the ICO; don't be complacent about GDPR

After 5 years as the UK Information Commissioner, Elizabeth Denham’s term concludes at the end of October.  John Edwards (currently serving as New Zealand’s privacy commissioner) has been appointed to succeed her.

In the wake of Brexit, reforms have been outlined to make changes that will enable innovation and economic growth.  The primary focus areas are:

  • Simplifying data use by researchers and developers of AI and emerging tech
  • Complementing new partnerships with the world’s fastest-growing economies
  • Balancing the removal of barriers to innovation and greater empowerment for companies with tougher penalties

Although some of the strict conditions under GDPR may be relaxed, any move away from the EU GDPR will potentially put the UK’s adequacy decision at risk, which will, in turn, require UK businesses to put additional safeguards in place, to ensure the free flow of information between the UK and the EU.

Leading Resolutions offer a variety of data protection services, risk assessments and guidance. Please get in touch if you have any data protection questions or concerns.

About the Author

Maria McCoy

Head of Data Governance and Compliance