Regulation Hub Update
20 Feb 2018
There’s still no official announcement from the PCI DSS Council about the anticipated new guidance (ruling that ‘pause & resume’ won’t take a contact centre out of scope), subsequent to a consultation that was due to finish in March last year.
I’m sure there’s a ‘pause & resume’ gag to be written here…
This quarter (24th January) Dave Clark kindly volunteered to be the Council’s representative at the Linden meeting – and wrote some useful notes, unlike some of us…
However, we’ll have to hold that over until next month, as the ICO circulate their initial minutes to the numerous attendee organisations for approval
The Fundraising Regulator (FR)
After the ending of the FR’s recent Code of Fundraising Practice consultation exercise, https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/consultations/code-consultation-october-2017/ - the revised Code will be launched this month and will embrace the concept of Legitimate Interest, rather than solely Consent, to underpin fundraising – there’s now a new one. This is looking at complaints, fundraising platforms and the necessity of fundraisers adopting TPS Assured (as we’ve discussed a few times recently): www.fundraisingregulator.org.uk/code-of-fundraising-practice/consultations/code-consultation-feb-2018/
Still no sign of this getting the nod through Parliament, which is odd as it would surely be universally popular (apart from with those scammers and crooks eligible to join the Institute of Directors).
Direct Marketing Commission
As you know, the DM Commission oversees the DMA’s Code. Their annual report for 2017 www.dmcommission.com/?attachment_id=3507 is a relatively interesting read and highlights its two most significant investigations - in that they were of DMA members it felt to be clearly in breach of the Code. One (about proof of door drops) didn’t quite maintain my attention, but the second was based on the hoary old issue of the validity and consent status of 3rd party, offshore contact centre-generated ‘lead gen’ data. It will be interesting to see if the 2018 report – in the wake of the GDPR and new Data Protection Act – is very different.
No relevant news from Ofcom, this month.
Meanwhile, after sterling work from the Council and various fellow travellers, we have a got a decent number of contact centres to complete our Survey Monkey survey to assess how outbound contact centres have responded to Ofcom’s revised Persistent Misuse rules (www.ofcom.org.uk/__data/assets/pdf_file/0024/96135/Persistent-Misuse-Policy-Statement.pdf).
However, I’m sure we could get a few more before we do the analysis so feel free to share the link still further: https://www.surveymonkey.co.uk/r/W897TNC
Telephone Preference Service (TPS)
A gradual process of number cleansing has started over recent months. It’s limited to the extent of stripping out redundant or reassigned numbers from the TPS database.
In terms of its real-world impact, our own Dave Clark has shared some stats showing that in his experience to date the cleansing has resulted in a c.6% drop in landline volumes, with a reduction in mobiles still awaited (see table below).
Source: NTT www.nttfundraising.co.uk
DMA’s press release on the TPS data cleanse: www.dma.org.uk/press-release/dma-and-ico-update-to-tps-system
GDPR and ICO
Data Protection Bill
The Bill has completed its 3rd Reading in the Lords and will now go to the House of Commons. As yet, there have been no amendments which have altered the commercial and direct marketing aspects of the proposed new legislation.
As previously mentioned, the ICO is backing up a lot of areas on which it will provide definitive, final guidance ‘early in 2018’. But not this early, it seems…
DMA and the GDPR Taskforce
The DMA has issued some pithy infographic guidance on the vexed issues of Consent www.dma.org.uk/article/dma-insight-the-legal-base-for-consent and Legitimate Interest www.dma.org.uk/article/dma-insight-the-legal-base-for-legitimate-interests
The DMA Legal Team is working on an update to the existing template Data Processing Agreement (www.dma.org.uk/article/data-processing-agreement-template) which will reflect the GDPR. Expect it to be published over the next few weeks.
The Legal Team should also shortly start reviewing our Agent Training Guide, too.
After a bit of a Christmas break, the ICO Enforcement has been busy again:
Newday Limited – a £2bn turnover store card provider fined £230k for sending 48m marketing emails over nearly 2 years without being able to demonstrate proper consent to do so.
Newday used affiliates, which have long been in the ICO’s sights for non-consented marketing.
TFLI - a loan broker, trading as Best Loans, fined £80k for sending un-consented loan offer texts.
Goody Market UK – Goody run an insurance comparison site and have been fined £40k for sending texts to data purchased from a 3rd party broker for which they could not demonstrate marketing consent.
Barrington Claims Limited – fined £250k for sending 15 million recorded marketing ‘robo-calls’ about PPI claims over 3 months in 2016. One of the reasons this fine was so large was that Barrington were clearly unresponsive to the ICO’s enquiries. Unsurprisingly, the Claim Management Regulator cancelled Barrington Claims’ licence in spring 2017.
Miss-Sold Products UK – like Barrington Claims, Miss-Sold sent millions (74m) of automated recorded marketing calls (about a variety of subjects) in the space of a few months. Miss-Sold were fined £350k for their “blatantly ignoring the law” – again partly militated by failing to engage with the ICO.
Holmes Financial Solutions – fined £300k for failing to be able to demonstrate marketing consent for c.26 million automated recorded calls about debt management, IVAs and trust deeds. A large part of the data was received from a 3rd party without any contract in place.
One thing that Barrington Claims, Miss-Sold Products and Holmes Financial Solutions all have in common is that their automated ‘robo-dialling’ of pre-recorded messages was carried out using DXI technology - now 8x8 (www.8x8.com/uk ). Presumably information on the rogue users of the technology was acquired through the ICO serving a Third Party Information Notice on DXI/8x8.
This is the same process the ICO used as part of their investigations of The lead Experts which was fined £70k for similar infringements in October last year, when they obtained information from another 8x8 legacy technology supplier, Easy Contact Now: www.channeldoctors.co.uk/blog/29-technology-providers-it-s-time-to-wake-up-to-the-gdpr
Other ICO News
As literally everyone knows, 26th January was the 12th annual Data Protection Day. Whoo!
Carphone Warehouse has been fined £400k as a result of a preventable breach of customer and employee data in 2015. That’s the same size fine as TalkTalk received for their more high-profile 2016 data breach.