Information security continues to be the area of greatest risk in terms of data protection compliance, and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents.
Despite the emergence of new software and technology, human error remains inevitable, and the ICO continues to take a stringent approach on breaches of data protection legislation as well as contravention of the Privacy and Electronic Communications Regulations (PECR).
In terms of electronic communications and being compliant with the PECR, recruitment agencies should also ensure they are satisfied that any new software they are using are configured correctly and that staff are given appropriate training on how to use these software, as well as general compliance with the PECR when sending electronic communications.
The recent ICO fine given to the Royal Mail Group Limited (RM) is an illustration of how things can go wrong when dealing with electronic communications and the ICO's expectations around what organisations must do in practice to safeguard personal data.
How Things Can Go Wrong
As part of its 'special stamp series' campaign, RM inadvertently sent direct marketing emails to 215,202 individuals who had opted out of receiving future marketing from RM following a previous campaign. The incident arose due to a manual error when sending a reminder to customers about the campaign.
The monetary penalty of £20,000, in this case, is a reminder of the seriousness of non-compliance with the law. It also encourages businesses to ensure that they obtain valid consent when required, and that they only send direct marketing communications to those who consent to receiving it.
Getting it Right
The ICO acknowledged that RM had an awareness of both data protection and marketing compliance for instance, by reporting the breach to the ICO and by implementing a number of measures to prevent this happening again. However, whilst the ICO was satisfied that RM did not deliberately set out to contravene the PECR, the breach was serious enough to merit a significant fine.
This case illustrates that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident:
- By storing all consented and non-consented email addresses on the same system together with the risk of human error which can occur, RM should have been aware of the risk that direct marketing emails could be sent to customers who had opted out.
- RM did not have valid consent to send the direct marketing emails, either because an individual had opted-out, or because they had used RM's services as a guest (without creating an account) and did not have sight of RM's privacy notice to be able to give valid consent.
- For customers who checked out as guests, RM cannot rely on the soft opt-in exemption because they were not given the opportunity to refuse use of their contact details for the purposes of direct marketing.
- RM should have been aware of its responsibilities under PECR as a result of detailed guidance published by the ICO.
- By introducing a 'templated solution' which has been used before in 'single contact' campaigns, RM could have done this for all its campaigns.
What Are the Key Considerations?
- Guidance - when commencing a new campaign, make sure you follow the guidance published by the ICO, and that staff understand the rules for carrying out marketing by phone, text, email, post or fax.
- Consent - it is particularly important to remember that you can only send marketing emails or messages to individuals if you have their consent to do so.
- Pitfalls of relying on software - assume that human error is inevitable and put in place alternative measures to prevent mistakes. The risks of sending emails to the wrong group of recipients when stored on one system (as happened here) are too great. Instead software should be implemented with additional measures in place to check permissions before sending emails to multiple recipients.
- Training - you should check that the training you are giving to staff is sufficient and that new staff have had the training before they are allowed access to personal data and send electronic communications. We offer bespoke data protection training to recruitment agencies to help staff become more aware of data protection risks and situations which could arise at your agency. Please contact us if you'd like to know more about our training sessions.
For advice on protecting your recruitment agency, please contact a member of our Recruitment team, or complete the form below.