Regulation Hub Update - May 2018

Written by Steve Sullivan, founder of Channel Doctors and deputy chair of the DMA Contact Centre Council

PCI DSS

You may recall that after over a year of radio silence on the proposed new guidance from the PCI DSS Council (ruling that ‘pause & resume’ won’t take a contact centre out of scope), I contacted PCI’s press office to enquire.

No reply! I’ll keep trying…

Operation Linden

As mentioned the next Linden meeting is on 5^th June, 10.30 to 12.30.

Minutes from the last one are still on the ICO’s website: www.ico.org.uk/media/action-weve-taken/reports/2258558/20180124-operation-linden-minutes.pdf

The Fundraising Regulator

The FR has published its new guidance on the handling of complaints and amended the Fundraising Code, in line with a consultation earlier this year.

Director Fines

Still no sign of the government asking Parliament to approve the prosecution of individuals engaged in illegal marketing activities, not just their companies.

The Direct Marketing Commission

No news from the DM Commission this month – and possibly won’t be until next year’s annual report for 2018. www.dmcommission.com/?attachment_id=3507

Ofcom

The DMA Research team weren’t able to help with the presentation of the results of the Council’s survey into how outbound contact centres have responded to Ofcom’s revised Persistent Misuse rules www.ofcom.org.uk/__data/assets/pdf_file/0024/96135/Persistent-Misuse-Policy-Statement.pdf

I’ll aim to circulate something by w/c 14^th May. Apologies for the delay

Ofcom has further clarified the need for organisations to display a CLI number when calling outbound www.ofcom.org.uk/consultations-and-statements/category-2/guidelines-for-cli-facilities Specifically this includes the requirement that the numbers are “…valid, dialable and uniquely identify the caller…” – which we all may have thought was the case already, but it seems that some naughty people have been using numbers that can’t actually be called. Again, Ofcom are putting the onus to ensure compliance more onto the communications/network providers.

Telephone Preference Service (TPS)

The TPS data cleanse www.dma.org.uk/press-release/dma-and-ico-update-to-tps-system continues. Our view from ‘the coalface’ via Dave Clark shows that mobiles are still not being removed.

Source: NTT www.nttfundraising.co.uk

GDPR and ICO

Data Protection Bill

The Bill is still in Committee in the House of Commons. The Telegraph has reported that Government amendments will extend the ICO’s powers to demand almost-immediate responses from organisations under investigation conduct raids without notice and pursue former employees: www.telegraph.co.uk/news/2018/04/28/firms-face-surprise-raids-data-inquiry/?WT.mc_id=tmg_share_tw

GDPR Guidance

There have been incremental updates from the ICO over the past few weeks, but nothing of great interest: www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/

ICO "Your Data Matters"

The ICO has announced that its publicising of people’s data protection rights will launch on 25^th May and it has already issued some initial materials. (apparently, these cuties are known as ‘the Fingerprint Family’. Awhh)

I’m also told the ICO has radio ads airing, but I’ve not heard them

DMA and the GDPR Taskforce

After the guides on

• GDPR Essentials
• Accountability

The DMA has issued

• Consent & Legitimate Interests (after updates from the ICO, last month)
• With Profiling to follow this month

We should be able to finalise our Agent Training Guide – after input from various Council members over the past 2 to 3 weeks this week, before re-looping through with Legal and then IDM / copywriters.

I chaired Jaywing’s ’10 Steps to Prepare for the New Regulation’ webinar on 18^th April.

The next DMA GDPR Taskforce meeting is on 22^nd May.

ICO Enforcement

No ‘big names’ in the past month, but some interesting insight into how the ICO works and the type of response from companies under investigation that can make a bad situation a lot worse.

The Energy Saving Centre (also trading as Energiglass, Energisaver and Energy Care) which provides replacement windows, doors and energy saving glass has been fined £250,000 by the ICO for infringements of the PECR rules.

Energy Centre, based in Bradford, had repeatedly made unsolicited marketing calls to prospects registered on the TPS. The initial period of analysis from June 2016 to January 2017 was triggered by hundreds of complaints to the TPS and ICO. It transpired that over that period over 7 million calls were made – and on the basis of one sample day (5^th December 2016), nearly 80% of numbers called were TPS registered. Full details are here: www.ico.org.uk/media/action-weve-taken/mpns/2258727/energy-saving-centre-ltd-mpn-20180416.pdf but the aggravating factors highlighted by the ICO are of note

• Energy Saving Centre failed to engage with the ICO’s investigation – and continued dialling unabated after the investigation was triggered
• They used multiple CLIs which were not all initially revealed
• Failed to properly ensure that 3^rd party data suppliers were not supplying TPS-registered records
• Had no internal documentation, processes or staff training around PECR and data protection

Alex Goldthorpre, a sole trader trading as Approved Green Energy Solutions (AGES) – another Yorkshire energy saving solutions provider - was fined £150,000 by the ICO for almost identical infringements:

• Calling TPS registered prospects
• Generating over 100 TPS complaints from c.400k connected outbound calls made from April to July 2017
• Using 3^rd party data with no contractual or process controls to ensure data was TPS screened

And failing to respond to initial contacts from the ICO and Mr Goldthorpe admitting he had no understanding of his obligations

IAG Nationwide

IAG or the Insurance Advisory Group was identified from consumer complaints to the ICO and TPS in 2017. IAG were making repeated, aggressive ‘accident claim’ calls to individuals, a number of whom were TPS registered. When the ICO called one of IAG’s CLIs the contact centre agent and their supervisor refused to divulge their address and gave a false email address.

Big mistake.

The ICO then served a Third Party Information Notice on the telecoms provider of the CLI number, which explained that it had been sold by a re-seller – which in turn received a Third Party Information Notice. That yielded the company identity and the fact that it had made half a million calls between May and August 2016 – nearly 40% of the numbers were TPS registered.

IAG was fined £100,000.

Costelloe & Kelly

Costelloe & Kelly sent nearly 300,000 unsolicited marketing text messages promoting funeral plans in June & July 2017 using 3^rd party data. Most of these messages didn’t identify Costelloe & Kelly as the sender. When investigated Costelloe & Kelly said they relied on their data provider to ensure marketing consent but carried out “little or no due diligence checks”.

The fine of £19,000 is low compared to similar enforcement actions, but the ICO identified some mitigating factors:

• Costelloe & Keely cooperated with the ICO investigation
• The ICO has received no subsequent complaints and the original campaign was quickly terminated
• Costelloe & Kelly, its directors and officers don’t have ‘form’; they have not been involved in similar infringements in the past.

Just like IAG, Costelloe & Kelly is based in Stockport, just a stone’s throw from the ICO’s Wilmslow home. A coincidence?

SCL Elections

Finally, not strictly in the direct marketing world, but of interest - a SARs case with added news value…

An American academic lodged a Subject Access Request with Cambridge Analytica, which passed the request to its agent, SCL Elections. To cut a long story short, SCL cashed their £10 cheque and provided personal data including the claimant’s voting record in 14 years of US elections and a profile of his views on a number of political issues. When he and then the ICO questioned the basis for this data, SCL responded that as the claimant was in the US they have no obligations to him under the (1998) Data Protection Act. The ICO disagreed and SCL has been served notice by the ICO to fully provide the data and sources requested.