Regulation Hub Update - September 2018
17 Sep 2018
As we come out of the summer, it’s been a quiet month for Compliance and Regulation, but there are couple of developments and stories to note, including
- a ban on unsolicited outbound claims calling
- £60,000 fine for a marketing agency sending unsolicited emails
- More big brands owning up to data breaches
- Stirrings from the PCI
Claims Management Outbound Cold Calling Banned
On 8th September the Department for Digital, Culture, Media & Sport (DCMS) announced that subsequent to an amendment to PECR (Privacy and Electronic Communications Regulations) made in the Financial Claims and Guidance Act 2018, the ‘cold calling’ of prospects about claims management services - typically PPI mis-selling and personal injury claims – would be banned. In future, organisations wanting to outbound call consumers about claims management services must first have their prospects’ specific consent to such marketing. Infringements will be monitored by the ICO and subject to fines of up to £500,000.
This measure is likely to have broad support, even if some would question the basis for a proposition- or sector-specific approach (is a call any less nuisance-causing if it’s about a fictitious car accident than about the need to replace the soffits on my house?). It’s worth noting that Accident Claims topped the list of the most complained about calls in the ICO’s latest report.
The Department for Digital, Culture, Media & Sport (DCMS) is still assessing the responses it received during the consultation about giving the ICO the ability to fine company directors, which ended on 21st August.
Telephone Preference Service (TPS)
As previously noted, the TPS data cleanse is half-way through. Around 3m landlines have been cleansed and removed from the register, but the process for mobiles hasn’t yet started.
All seems quiet on the Ofcom front but we still hope to have an Ofcom representative to join us for a Contact Centre Council meeting in the autumn.
Ban on Pensions Cold Calling
The proposed government ban on unsolicited cold calling about pensions is still on-track to take effect in the Autumn after a the Treasury’s second consultation period has come to an end. As a re-cap, the FCA cannot ban cold calling unless it’s not being carried out by FCA-regulated firms and the ICO cannot do so directly as it would be an extension of PECR. Therefore the ban will require primary legislation, sponsored by the Treasury, to be passed by Parliament.
We have had an update from John Greenwood of Compliance 3 about the long-delayed new PCI DSS guidelines which will specifically address the contact centre world and consider new telephony and digital based scope reduction technologies (which have been expected to make clear that ‘pause & resume’ won’t take a contact centre out of scope of PCI DSS):
“With the PCI Community Meetings scheduled for later this month in North America and the European Community meeting taking place in London next month, we should expect news on the timeline for publication of the new guidelines on Securing Telephone-based Payment Card Data. When the Special Interest Group (SIG) was voted on in October last year, publication timings were anticipated at being before the end of this year. More news to follow.”
The Fundraising Regulator (FR)
No news or changes of note from the Fundraising Regulator, this month.
GDPR, the new Data Protection Act and ICO
DMA Privacy Taskforce
The first meeting of the Taskforce (successor to the DMA’s GDPR Taskforce) was last week. Plenty of discussion points including; dialogue with DCMS over the government’s approach to the delayed ePrivacy Directive, potentially working with the DMA’s brand members and ISBA to get some common ground on the implications of GDPR, preparations for a new DMA Value of Data campaign, recent ICO enforcement actions, and agreement to create practical guidance around the requirements of implementing Privacy by Design.
An understandably quiet month for the ICO in terms of enforcement… Lewisham Council had its knuckles rapped for being slow to respond to residents’ Subject Access Requests (SARs), but we needn’t concern ourselves with that. We can have a look at the only other enforcement action made this month:
Everything DM Limited (formerly MarketingFile) of Stevenage has been fined £60,000 for sending over 1.4m unsolicited emails between May 2016 and May 2017. Everything DM is a hybrid data provider and marketing agency which sent emails to its clients, using its Touchpoint application (not to be confused with lots of other solutions called Touchpoint). The ICO ruled that neither Everything DM nor its clients had valid consent for marketing communications and Everything DM’s reliance on un-validated third party consent was insufficient.
At the end of August, the ICO published their July report on actions they’ve taken over nuisance calls and messages, all of which should be familiar if you’ve been reading our Updates over the past few months!
Law firm EMW’s figures show that complaints about data breaches to the ICO have more than doubled since the introduction of GDPR / the new Data Protection Act in May, as many observers anticipated.
In parallel, Kroll has undertaken research on the back of a Freedom of Information request lodged with the ICO which shows that 88% of breaches re caused by human error, as opposed to sophisticated, malicious hacking. These errors include sending personal data to the wrong recipients, lost paperwork and forgotten digital storage locations.
Anecdotally it seems like either UK PLC’s information security has suddenly got a lot worse of late or else organisations are being more open when data breaches occur. Some recent big names owning up to breaches include Currys PC World.
And, at the end of last week, BA which revealed a malicious data breach involving the personal and card details of 380,000 customers. This led to an immediate 4% drop in IAG (BA parent company)’s share price, the almost immediate announcement of a potential £500m group (class) action under the 2018 data Protection Act by SPG Law. And lots of excited journalists’ estimates of a £500m fine from the ICO, as the breach occurred over August and September. We’ll see…
Meanwhile, even if no-one’s going to get fined €20m or 4% of global turnover for GDPR infringements anytime soon, in the US the first shareholder claim against a corporation related to the GDPR has been lodged. Nielsen, the market research firm, are being sued for making misleadingly reassuring statement about their preparedness for GDPR and rejecting any negative impacts on its access to and use of third party data – before suffering a 25% share price drop in the summer, blaming the impact of GDPR and the planned Californian 2018 Privacy Act (AB375).
The next Linden meeting is due to be in October.
Direct Marketing Commission
No news from the DM Commission this month – and possibly won’t be until next year’s annual report for 2018.
Two guides from the DMA Contact Centre Council specifically written for contact centres to help them understand and comply with GDPR and the 2018 Data Protection Act: