Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Charities must ensure that they put in place technical and organisational measures to safeguard personal data.
In terms of electronic communications and being compliant with the PECR, charities should also ensure they are satisfied that any new software they are using are configured correctly and that staff are given appropriate training on how to use these software as well as general compliance with the PECR when sending electronic communications.
The recent ICO fine given to the Royal Mail Group Limited (RM) is an illustration of how things can go wrong when dealing with electronic communications and the ICO's expectations around what organisations must do in practice to safeguard personal data.
As part of its 'special stamp series' campaign, RM inadvertently sent direct marketing emails via its Eloqua system to 215,202 individuals who had opted out of receiving future marketing from RM following a previous campaign. The incident arose due to a manual error when using Eloqua to send a reminder to permissioned customers about the campaign. The ICO concluded that RM actions were in contravention of regulation 22 of the PECR.
RM has demonstrated its awareness of both data protection and marketing compliance for instance, by reporting the breach to the ICO and by implementing a number of measures to prevent this happening again. Although the ICO was satisfied that RM did not deliberately set out to contravene the PECR, the ICO did consider the breach serious:
This case illustrates that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident.
The monetary penalty of £20,000 in this case is a reminder of the seriousness of non-compliance with the law and encouraging businesses to ensure that they obtain valid consent when required and that they only send direct marketing communications to those who consent to receiving it.
Make sure that you remind staff of the detailed guidance to understand what they need to do when carrying out marketing by phone, text, email, post or fax.
It is particularly important to remember that you can only send marketing emails or messages to individuals if they you have their consent to do so.
You should check that the training you are giving to staff is sufficient and that new staff have had the training before they are allowed access to personal data and send electronic communications. We offer bespoke data protection training to charities to help staff become more aware of data protection risks and situations which could arise at your agency. Please contact us if you'd like to know more about our training sessions.
The ICO's decision confirms that human error is inevitable and alternative measures could have been put in place to prevent the contravention. The risks of sending emails to the wrong group of recipients when stored on one system (as happened here) are too great. Instead software should be implemented with additional measures in place to check permissions before sending emails to multiple recipients.