The recent £75,000 fine against Vanquis Bank – issued after it was found to have sent 870,849 spam text messages and 620,000 spam emails to promote its credit cards – is just the latest in a series of penalties issued to companies for poor data compliance practices linked to unsolicited marketing methods.
With the incoming General Data Protection Regulation (GDPR) now just over seven months away, it is important to explore what area of data protection Vanquis could have improved, and to question what should other companies be doing to ensure the correct level of data governance is in place to prevent themselves from being at the receiving end of monetary penalty notices.
Is the fine of £75k strict enough?
Some would argue that Vanquis got off relatively lightly with a fine of just £75,000, in comparison to the maximum £500,000 fine that the ICO can apply to companies contravening the existing 1998 Data Protection Act and in this case the Privacy & Electronic Communications (EC Directive) Regulations 2003 (PECR).
These two figures pale in comparison to the size of the fines that will be issued under the incoming GDPR, where serious violations of the rules could result in fines of up to €20m (£17m) or 4% of global turnover (whichever is greater). Despite the slap on the wrist fine received by Vanquis, its parent company’s stock fell almost 8% after the news broke, highlighting the wider reputational damage that can be incurred by the ICO ruling.
What exactly did Vanquis do to break the rules?
The ICO stated that Vanquis broke the law because the text and email recipients had not directly consented to being sent the marketing messages as per regulation 22 (2) of PECR.
The bank did not have the correct level of consent for the chosen route of contact, rendering the consent invalid as it was unclear and not specific. Regulation 22 covers the use of “electronic mail for direct marketing purposes”. If you’re going to use electronic mail as a route to send marketing messages, you must understand the boundaries and rules involved, and conduct a balancing test to determine if the data is compliant.
What procedures should other companies put in place to prevent similar fines from the ICO?
The Vanquis case should serve as a warning to the wider business world, and particularly the financial services industry which has traditionally been seen as less “trusted” than other sectors. Financial services companies need to work harder to demonstrate best practice and transparency in their data collection and general business processes. They should use the remaining months in the lead up to GDPR to ensure full adherence to the regulation before it comes into effect and in turn monitor progress of the e-Privacy Regulation.
While GDPR will require businesses to adopt more robust data compliance processes, it is worth businesses paying particularly close attention to Article 5 of GDPR, which is titled “Principles relating to processing of personal data”. This specifically refers to processing of data in a lawful, fair and transparent way, which when applied, will lead to a more trusted and loyal customer. It also ensures businesses keep information up to date and accurate, while reviewing permission processes on a regular basis. In summary, Article 5 states that personal data shall be:
– processed lawfully, fairly and in a transparent manner in relation to individuals
– collected for specified, explicit and legitimate purposes
– adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
– accurate and, where necessary, kept up to date
– kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
– processed in a manner that ensures appropriate security of the personal data
In the same week that Vanquis was punished, London company Xerpla was fined £50,000 by the ICO for sending nearly 1.26 million spam emails promoting products and services as far ranging as dog food, wine, competitions and boilers on behalf of other firms. Like Vanquis, Xerpla did not have the right level of consent to send the communications.
It is becoming extremely apparent that companies need to take more responsibility for their data practices. These most recent instances of data mismanagement should be yet another wake-up call ahead of next May’s deadline.
Companies should be aligning themselves with the correct compliance and governance frameworks to ensure there is accountability and ownership of both the GDPR and e-privacy regulation within their organisations.
Compliance has for a long time been the final approval process in data management but the tide has turned. Compliance is now in the spotlight and it should be embraced as a positive step forward.
Andrew Bridges is data quality and governance manager at REaD Group
Vanquis Bank vanquished for massive spam campaign