Regulation Hub Update - March 2019 | DMA

Filter By

Show All
X

Connect to

X

Regulation Hub Update - March 2019

T-regulation-pic1-3.png

This article is written by Steve Sullivan who is the Deputy Chair of the Contact Centre Council.

This Month’s Headlines

  • Two ‘dawn raids’ of contact centres by the ICO
  • Fundraising Regulator doubles down on ‘naming & shaming’ of charities
  • The first ICO ‘GDPR’ fines may be a while away
  • Vote Leave fined £40k for sending illegal texts
  • PPI ‘robo-call’ company director banned
  • All about the Direct Marketing Commission

Ofcom

In March Ofcom & the ICO published their annual update for the Nuisance Call and Messages Action Plan they initiated in 2013.

Although Ofcom’s survey research shows that consumers’ experience of ‘nuisance’ contacts is falling (see below), complaints to the ICO are fairly static.

TPS

No news from the TPS, this month.

However, we are overdue a check-in on how its data cleansing of registered mobile numbers which have now been re-assigned is progressing. We’ll try and get that for next month’s update.

PCI

We have decided to create a short survey to better understand how contact centres are adapting to the Payment Cards Industry (PCI) Security Standards Council’s updated Guidance for Phone-Based Card Payments. More on this over the next couple of months.

Council member Tom Davies from Ultracomms has given us a head-up on PSD2 (the EU’s Second Payment Services Directive) and the new 3D Secure 2.0 standards for online payments. Here’s a quick video guide to 3DS 2.0 from Visa. PSD2 formally goes live in September, but Tom’s highlighted that there’s a significant shift in liabilities before that:

  • April 2019 - 3DS 2.0 liability shift. Both Visa and Mastercard are encouraging banks to get ready for PSD2 by being 3DS 2.0 compliant. This is a good target month to be ‘PSD2 ready’ as a business too. From this point forward, if a business requests 3D Secure 2.0 and the issuing bank cannot accept it, the business receives an automatic liability shift. So if the banks haven’t got 3DS 2.0-ready then they are left holding the liability baby!
  • September 2019 - PSD2’s SCA requirements go live in Europe. Any business with substantial European volume will need to have 3D Secure 2.0 implemented by this date in order to most effectively meet SCA (Strong Customer Authentication) requirements.

PSA

Similarly to last month, the PSA has taken further action against Xplosion, a quiz service provider which had been previously sanctioned, but failed to pay fines or administrative fees. The original PSA adjudication, including Xplosion’s fines of over £1m, was covered in our October update.

The Fundraising Regulator

The FR has announced that the tiered amounts of levy they require from charities spending over £100,000 annually on fundraising will be increase more gradually at the lower levels.

The FR has started to publish a list of charities which have not actioned supporters’ requests that they cease marketing / fundraising after registering with the Fundraising Preference Service (FPS). The FR explain that these failures to respond to the FPS breach the FR’s Code of Fundraising Practice and also that the ICO has said that it may regard them as breaches of the 2018 Data Protection Act.

1st March is the date from which the names of charities which are complained about to the FR will be published, irrespective of whether the complaints are upheld or not. The first such list is due to be published in June.

The DMA

The DMA’s data protection conference, Data Protection 2019, was held on 1st March. Here are some notes from the speakers’ contributions.

The ICO

The ICO is continuing to attempt shed some light on what either a ‘Deal’ or ‘No Deal’ Brexit might mean. Here’s a podcast from the ICO & Federation of Small Businesses.

ePrivacy Regulation

Meanwhile, in Brussels the mood music suggests that the Commission and Council are keen to get the ePrivacy Regulation text agreed before the next round of EU Parliamentary elections in May.

ICO Regulatory Sandbox

Now that we think we understand what it is, the ICO’s Sandbox has had a workshop session to explore how it might work, as this ICO video explains.

However, Tim Turner thinks the Sandbox isn’t a very good idea and – not unreasonably – questions why there seems to be secrecy about who attended the workshop (and appeared on the video).

ICO and AdTech

The ICO has held a ‘Fact Finding Forum’ with over 100 attendees, “from publishers to advertisers, from civil society to start-ups, from adtech firms to lawyers” to discuss the future of the AdTech industry. The tone of this blog by Simon McDougall, the ICO’s Director for Technology Policy and Innovation, is positive and may provide some reassurance to the AdTech community when they are feeling under siege from data protection regulators (and the Chancellor has asked the Competition & Markets Authority to investigate the digital advertising market).

ICO Enforcement Actions

It’s been a quite month for the ICO on the Enforcement front. Aside from the usual clutch of NHS workers looking at patient records without any justifications, employees harvesting work contacts before leaving their employer, etc, there’s been one pre-announced fine and a couple of ‘dawn raids’ (which were probably undertaken at a more civilised time of day):

Vote Leave has been fined £40,000 for its role in the illegal data sharing between it and Aaron Banks’ Eldon Insurance (trading as Go Skippy). Eldon was fined £60,00 in February.

The ICO investigations teams dusted down their blouson jackets for a couple of unannounced raids of the premises of businesses in Brighton and Birmingham on 12th March. Both businesses are suspected of making live and automated ‘nuisance calls’ and the raids come after a year-long investigation.

No doubt we will have details of the subsequent enforcements actions in this update over the coming months.

No ‘GDPR’ Fines Just Yet?

At a time when the anticipation of the first ‘GDPR era’ fines from the ICO grows and grows, this article from Mishcon de Reya’s Jon Baines suggests that there may not be any for a while yet.

Through a Freedom of Information Request, Mishcon have established that the ICO hasn’t yet served a single notice of intent to issue a fine (a notice of intent needs to be provided to an organisation the ICO plans to issue with a financial penalty and a reasonable amount of time granted for them to respond with their representations). So, we all may have wait for a while yet.

The Insolvency Service

The government’s Insolvency Service is clearly now on a roll, taking action against the directors of companies which have been subject to ICO enforcement action, but haven’t paid the fines:

Richard Jones – Miss-Sold Products UK & Your Money Rights. Miss-Sold was fined £350k in January 2018 for infringing.

The PECR regulations by sending millions of un-consented PPI recorded messages, as featured in our February 2018 Update. Miss-Sold had failed to engage with the ICO and didn’t pay the fine. Prior to that action, in September 2017, the ICO fined Your Money Rights £350k for the same sort of illegal calls. Again, the fine wasn’t paid. Richard Jones was a director of both subsequently-dissolved firms and has now been barred from acting as a company director for 8 years.

International News

The Netherlands data protection regulator (Autoriteit Persoonsgegevens) has published the over-lapping range of fines it plans to impose under the GDPR regime*

1. up to 200,000 euros

2. 120,000 to 500,000 euros

3. 300,000 to 750,000 euros

4. 450,000 to 1 million euros.

They have also published guidelines as to what sort of cases would sit in which category and what kind of case may trigger fines of over 1m euros – but they’re in Dutch and haven’t yet been translated into English so we may have to come back to that one…

* Thanks to www.privacylaws.com for that information.

The Direct Marketing Commission

The Direct Marketing Commission (DMC) investigates all direct marketing complaints against DMA members where the complaint is within the scope of the DMA Code.

The Commission’s annual report for 2018 – covering the 12 months from 1st July 2017 to 30th June 2018 - was published a couple of weeks ago.

In the introduction, Chief Commissioner George Kidd says that regulating direct marketing can "...seem an impossible task when the regulators must follow Marquess of Queensberry rules and

due process and the rogues can do as they please".

Surprisingly, the number of complaints sent to the DMC halved in 2018 to a little over 100, of which only 27 were about DMA members. Less surprisingly, 83% related to data, privacy and quality (up from 69% last year), with the remaining complaints split between customer service (14%) and contractual (3%) issues.

Full details are in the Report, but only two cases resulted in formal investigations. The one which was contact centre-related was featured in our February update.

Hear more from the DMA

Please login to comment.

Comments