£3m in ICO fines for data misuse - follow our best practice guide
The ICO issued £3m of fines in 9 months for unlawful or unsolicited marketing messages. Make sure you adopt best practices in data processing and don’t rely on a change in GDPR rules following Brexit.
In the first 9 months of 2021, the ICO has issued 20 fines totalling £2,965,000. The key thing to note about the ICO fines this year is that every single one of them is for unlawful or unsolicited marketing messages.
Data processing is high risk, so if you are in the marketing, if you use third parties for marketing or carry out a lot of marketing in-house, follow our best practice guidance:
- Ensure your marketing activities are adequately documented – are they covered in privacy notices and on your record of processing activities?
- Ensure that you have clear data retention rules that are enforced.
- If you are relying on legitimate interests as your lawful basis for marketing, carry out a legitimate interest assessment to ensure that you are taking the risks to the data subjects into account, with your processing
- If you are relying on consent as your lawful basis, ensure you have a clear audit trail of exactly what individuals have consented to, and that they have a very easy way to withdraw that consent
- Ensure that personal information is adequately protected from insider and external threats, with controls such as (but not limited to): robust access controls, auditing, secure networks and encryption
- If third party marketing partners are used, review contracts and data processing agreements with them to ensure the controller / processor relationships are well defined, mandatory clauses are present and that data protection obligations are clearly stated