• Home
  • T&Cs
  • Log-in/Register/DM Report
  • DecisionMarketing uses cookies – continued browsing implies consent. Click here for details >
  • .
DecisionMarketing
  • Home
  • News
  • Views
  • Reviews
  • Idol Gossip
  • Indepth
  • Profile
  • About us
Hot Topics
  • February 15, 2019 10:03 am | Shop Direct drafts in top team for digital transformation
  • February 14, 2019 1:53 pm | Why artificial intelligence will not be taking your job
  • February 14, 2019 12:31 pm | Oliver recruits former R/GA chief for top creative role
  • February 14, 2019 10:58 am | IPG hails Acxiom deal as key driver for future growth
  • February 13, 2019 1:49 pm | Rizla posters are stubbed out for appealing to children

How to prevent your firm from being the next Vanquis

October 23, 2017 9:54 am

andy bridges headshotThe recent £75,000 fine against Vanquis Bank – issued after it was found to have sent 870,849 spam text messages and 620,000 spam emails to promote its credit cards – is just the latest in a series of penalties issued to companies for poor data compliance practices linked to unsolicited marketing methods.
With the incoming General Data Protection Regulation (GDPR) now just over seven months away, it is important to explore what area of data protection Vanquis could have improved, and to question what should other companies be doing to ensure the correct level of data governance is in place to prevent themselves from being at the receiving end of monetary penalty notices.
Is the fine of £75k strict enough?
Some would argue that Vanquis got off relatively lightly with a fine of just £75,000, in comparison to the maximum £500,000 fine that the ICO can apply to companies contravening the existing 1998 Data Protection Act and in this case the Privacy & Electronic Communications (EC Directive) Regulations 2003 (PECR).
These two figures pale in comparison to the size of the fines that will be issued under the incoming GDPR, where serious violations of the rules could result in fines of up to €20m (£17m) or 4% of global turnover (whichever is greater). Despite the slap on the wrist fine received by Vanquis, its parent company’s stock fell almost 8% after the news broke, highlighting the wider reputational damage that can be incurred by the ICO ruling.
What exactly did Vanquis do to break the rules?
The ICO stated that Vanquis broke the law because the text and email recipients had not directly consented to being sent the marketing messages as per regulation 22 (2) of PECR.
The bank did not have the correct level of consent for the chosen route of contact, rendering the consent invalid as it was unclear and not specific. Regulation 22 covers the use of “electronic mail for direct marketing purposes”. If you’re going to use electronic mail as a route to send marketing messages, you must understand the boundaries and rules involved, and conduct a balancing test to determine if the data is compliant.
What procedures should other companies put in place to prevent similar fines from the ICO?
The Vanquis case should serve as a warning to the wider business world, and particularly the financial services industry which has traditionally been seen as less “trusted” than other sectors. Financial services companies need to work harder to demonstrate best practice and transparency in their data collection and general business processes. They should use the remaining months in the lead up to GDPR to ensure full adherence to the regulation before it comes into effect and in turn monitor progress of the e-Privacy Regulation.
While GDPR will require businesses to adopt more robust data compliance processes, it is worth businesses paying particularly close attention to Article 5 of GDPR, which is titled “Principles relating to processing of personal data”. This specifically refers to processing of data in a lawful, fair and transparent way, which when applied, will lead to a more trusted and loyal customer. It also ensures businesses keep information up to date and accurate, while reviewing permission processes on a regular basis. In summary, Article 5 states that personal data shall be:
– processed lawfully, fairly and in a transparent manner in relation to individuals
– collected for specified, explicit and legitimate purposes
– adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
– accurate and, where necessary, kept up to date
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
– processed in a manner that ensures appropriate security of the personal data
In the same week that Vanquis was punished, London company Xerpla was fined £50,000 by the ICO for sending nearly 1.26 million spam emails promoting products and services as far ranging as dog food, wine, competitions and boilers on behalf of other firms. Like Vanquis, Xerpla did not have the right level of consent to send the communications.
It is becoming extremely apparent that companies need to take more responsibility for their data practices. These most recent instances of data mismanagement should be yet another wake-up call ahead of next May’s deadline.
Companies should be aligning themselves with the correct compliance and governance frameworks to ensure there is accountability and ownership of both the GDPR and e-privacy regulation within their organisations.
Compliance has for a long time been the final approval process in data management but the tide has turned. Compliance is now in the spotlight and it should be embraced as a positive step forward.

Andrew Bridges is data quality and governance manager at REaD Group

Related stories
Vanquis Bank vanquished for massive spam campaign 

Print Friendly

Share with friends and colleaguesTweet about this on TwitterShare on LinkedInShare on FacebookShare on TumblrPin on PinterestShare on Google+Email this to someone

To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact subscriptions@decisionmarketing.co.uk). If you are an existing user, please log in. If you have forgotten your log-in details please email info@decisionmarketing.co.uk to get them reset!

Existing Users Log In
 Remember Me  
New User Registration
*Required field
TOPICS:complianceconsentdata protectionfinancial servicesGDPRICOPECRspam emailspam textThe REaD Group
SHARE
TWEET
PIN
SHARE
  • Previous post
  • Next post

Related Articles

gloves 1

News

Firms warned over new wave of nefarious cyber attacks


Image0106

News

Brighton firm behind 46m calls gets £350,000 fine


young person direct mail

News

Crisis? What crisis? GDPR fuels more potent marketing


EU building 2

Views

Why GDPR is a golden opportunity for small businesses


Tweets by @DM_editor

Popular posts

board-1364650_1920

February 14, 2019 1:53 pm

Why artificial intelligence will not be taking your job

Artificial intelligence. Automation. Machine learning. Despite their origin in the discipline of pattern recognition, these technologies are redefining not just…

Print Friendly
Read More

andy wood2

February 8, 2019 9:51 am

Proof that direct mail and email work better together


Rochelle Fowler

February 5, 2019 2:44 pm

The top five issues that marketers must challenge today


1219 REaD Group - Jon Cano-Lopez

January 31, 2019 10:52 am

Year Ahead: Why the data industry has world at its feet


spooner 414

January 30, 2019 12:49 pm

Spooner on…what’s in store for us in the year ahead?


Copyright 2019 | MH Newsdesk by MH Themes