Regulation Hub Update - July 2018
17 Jul 2018
Written by Steve Sullivan, founder of Channel Doctors and deputy chair of the DMA Contact Centre Council
PCI DSS
No sign of the long-delayed new PCI DSS guidelines which will specifically address the contact centre world and consider new telephony and digital based scope reduction technologies (expected to make clear that ‘pause & resume’ will only take the call recorder and call recording storage out of scope of the PCI DSS and won’t take a contact centre out of scope).
We’ll continue to keep you posted when we know more.
Operation Linden
Mike Lordan has updated us on the Linden meeting of last month. Three discussion areas of note:
- ICO was about to levy a significant marketing-related fine (I assume that’s the BT one listed under ICO Enforcement Actions, further on)
- Ofcom discussing their new CLI display rules taking effect from October
- FCA preparing to take over regulation of the claims management sector from the ministry of Justice in April 2019
The Fundraising Regulator
The FR’s new Code of Fundraising Practice has dropped the requirement (?) for charities undertaking telephone fundraising to become TPS Assured registered. TPS commented: “Despite the decision of the Fundraising Regulator to no longer have TPS Assured as a requirement of its code of practice, they have also reaffirmed the importance of every organisation checking the TPS register before making outbound calls. The certification was and remains an option for organisations to ensure they are following both their legal obligations and best practice when it comes to making marketing calls, but we appreciate it might not be suitable for every organisation.”
Director Fines
The Department for Digital, Culture, Media & Sport has confirmed that it will publish results of the consultation about giving the ICO the ability to fine company directors after it ends on 21st August.
The Direct Marketing Commission
No news from the DM Commission this month – and possibly won’t be until next year’s annual report for 2018.
Ofcom
We are hoping to have a representative of Ofcom come along to a Contact Centre Council meeting, soon, thanks to Al White.
In the meantime, after some final edits, the blog to accompany the findings of the Council’s Ofcom Persistent Misuse rules survey is due to be published this week.
Telephone Preference Service (TPS)
The TPS data cleanse now appears to be half-way, with landlines cleansed, but mobiles not yet started. Our view from the contact centre 'coalface' via Dave Clark bears this out - three million landlines have been removed from the register since the start of the year.
Source: NTT www.nttfundraising.co.uk
John Mitchison hopes to give us an update on timescales for the next phase of cleansing, shortly.
GDPR, the new Data Protection Act and ICO
Contact Centre Agent Training Guide
On 27th June the Contact Centre Council’s GDPR Contact Centre Agent Training Guide was published
On the same day our Dave Clarke provided practical guidance on the management of Subject Access Requests as part of the DMA’s Get Up To Date With Subject Access Request webinar. You can watch it again here
The DMA’s latest GDPR guide for marketers has been launched – on Profiling
DMA and the GDPR Taskforce
The Responsible Marketing Committee has decided to wind up the GDPR Taskforce as, Farage-like, its work is done. However, they are keen to continue with a successor cross-council group to look at legislation and compliance. I’ll keep you updated as and when this takes shape.
Age Appropriate Design Code
A call for evidence (which will run to September) on the ICO’s planned Age Appropriate Design Code has started with stakeholders involved and interested in online assets used by children.
On that theme, the BBC has published research showing that the most commonly-used social media sites – including many with child users - had lengthy and complicated privacy policies.
ICO ‘Your Data Matters’ Pledge
Update: Since last month’s Hub Update – when it didn’t look like anyone had signed the ICO’s Your Data Matters Pledge (pledging their support of the data protection laws and regulations) over a hundred individuals and organisations have now done so.
That’d Do Nicely
The ICO has launched a competition for organisations which are undertaking work and projects to enhance data privacy. It’s Grants Programme offers awards between £20,000 and £100,000
I’m checking the small print to see if they could see their way to supporting the production of the Contact Centre Council’s Compliance & Regulation Hub Update...
Overseas News
The French data protection regulator, CNIL, has fined Optical Center - an online optician – a record €250,000 for a breach of consumer data. This is on top of a €50,000 fine levied on Optical Center in 2015 for poor data protection practices:
As the breach was highlighted prior to the implementation of GDPR, it’s not clear what direction future fines may take.
Westminster News
Data Protection guru and part-time GDPR vigilante, Tim Turner, lodged a Freedom of Information Request with the House of Commons to unearth that a consultancy had been paid over £97,000 to deliver GDPR training to Commons staff. Unfortunately, the training seems to have been of dubious value and accuracy. Chris Bryant MP told the House that the training “…gave MPs’ staff the impression that they should be deleting all electronic information relating âto their constituency casework from before the 2017 general election”
ICO Enforcement
A few interesting ICO Enforcement cases from a marketing and customer engagement perspective:
- A big name (BT) gets fined for sending emails to customers which the ICO judged to be marketing when BT regarded them as service messages
- An insurance sales generation operation gets fined for calling TPS-registered numbers and a double glazing firm is ordered to cease telemarketing for the same reason
- An estate agency is ordered to respond to a previously-ignored Subject Access Request
BT has been fined £77,000 for PECR infringements, sending 4m of what the ICO considered to be marketing emails to customers who had opted out of marketing. The cases date back to 2015 & 2016.
This case is rather involved, but some key elements are:
- The ICO rejected BT’s use of the ‘soft opt-in’ on the basis that the services being promoted (charity campaigns ‘Giving Tuesday’ & ‘Stand Up To Cancer’ and BT’s donation platform ‘My Donate’) were wholly dissimilar to the telecommunications services customers purchased from BT
- The ICO’s investigation was triggered by just one customer complaint
- BT’s interpretation of emailing customers to introduce them to ‘My Donate’ as a service message was rejected by the ICO
- The ICO judged that although BT’s contravention wasn’t deliberate, it was negligent – especially because “an organisation of BT’s size” should have been fully aware of the PECR rules
Our Vault Limited (OVL) – an insurance broker cum lead generator for ST&R - has been fined for repeatedly calling over 55,000 consumers registered on the TPS. There was considerable evidence that the total number of TPS-registered numbers called over a period of years was considerably higher.
Militating factors the ICO lists include:
- OVL being FCA registered (so presumably quite compliance-aware)
- OVL continuing to outbound call after the ICO first raised its concerns and failing to engage with the ICO
- Its calls being regarded as ‘sugging’ – that is acted, as lead generation calls for ST&R under the guise of research
Horizon Windows of Swansea have been ordered to cease their illegal direct marketing activities – that is, calling prospects who have registered with the TPS and/or already told Horizon that they do not want to received further calls. The ICO specifically looked at a 12 month period from January 2016 and identified over 100 instances of TPS-registered numbers being called – as well as examples after this period identified through complaints to ICO and the TPS. In the Enforcement Notice the ICO states that the Commissioner has exercised discretion – presumably through not imposing a fine – but I’m not wholly sure what the basis for her doing so was. That said, ordering a double glazing firm to stop using what, presumably, was its main marketing channel is likely to have a dramatic impact. Horizon are still answering their phone, but (see right) Google thinks they’ve closed.
In both the Our Vault and Horizon cases the ICO checked with the TPS whether either organisation had obtained and used a TPS licence to screen calling data. They hadn’t – and presumably there was no confidence that they had asked a third party supplier to do so on their behalf. This is another indication of the close working relationship between the ICO and TPS.
Ainsworth Lord Estates
Ainsworth Lord Estates is an estate and lettings agency in Darwen, Lancs.
It has been served an enforcement notice for failing to respond to a Subject Access Request – or to subsequent correspondence from the ICO. So, no fine levied at this stage, but if Ainsworth Lord doesn’t comply then they will be liable for prosecution and fines.
Probable Data Breach Cases Coming Up in the Future
Ticketmaster is a name that will probably crop up here later this year, as they have revealed a data breach which ran from February to June this year. The breach has resulted in an unknown number of customers suffering from fraudulent card transactions. Already the ICO has stated ““We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts”.
Interestingly, Ticketmaster have already declared that the data breach was the result of malware on their 3rd party chatbot, supplied by Inbenta – and card supplier Monzo say they told Ticketmaster about the breach in April, but couldn’t get them to respond.
I feel that a couple of law firms may be kept busy with this one.
Please login to comment.
Comments