Who's afraid of the ICO? | Who's afraid of the ICO? | DMA

Filter By

Show All

Connect to


Who's afraid of the ICO?


Getting on the wrong side of the ICO can lead to reputational damage, massive fines and possible closure. And the organisations that do find themselves under the ICO’s scrutiny aren’t just the ‘usual suspects’ of dodgy telemarketers, spammers and con artists. I’ve been on the Information Commissioner’s Office’s website looking at the firms and organisations that have experienced the ICO’s most serious enforcement actions, since last March. Those actions are

• Prosecutions

• Enforcement Notices


• Monetary Penalties

The exercise has yielded some interesting results.

In good company
First off, whilst no one wants to find themselves in the ICO spotlight, if you do you will be in surprisingly good company. The Serious Fraud Office, the Crown Prosecution Service, South Wales Police, major corporations and even the loveable David Lammy MP have all committed serious transgressions. It’s not solely the less scrupulous members of the direct marketing industry (although there are plenty of those, too!).

You have been warned!
There were over 50 cases in the 12 months I reviewed. They included health workers inappropriately checking patients’ medical histories, individuals fraudulently selling customer data and criminal justice bodies losing vital evidence. Fines and the size of those fines are steadily on the rise.

However, I mostly focused on organisations which will regularly and unavoidably be using direct marketing techniques and engaging in direct, B2C contact to attract and retain customers.

Incidentally, thus far the 3rd sector has avoided prosecutions or financial penalties from the ICO. But a number of charities are now ‘in the spotlight’ and there’s no reason to expect that having charitable goals will act as a defence in future.

The business sector categorisation on the ICO’s website isn’t necessarily the clearest or most consistent, so I have attempted my own. Out of the 14 sectors I identified, just four experienced over half of the ICO’s most severe actions. These sectors were:

1.Call Blocking technologies

2. Claims management firms and agencies (PPI, Bank Charges, Industrial injuries, etc)

3. Home Improvements, Energy and Security products and services

4. Lead Generation

All of these sectors are big users of direct-to-consumer marketing techniques and purchase, acquire and process large volumes of consumer data – what I’ve roughly grouped together as the ‘marketing sectors’. So, it might not be a surprise to hear that they are especially likely to draw the attention of the ICO. While large corporations do fall foul of the ICO’s regulations, large-scale fining of ‘repeat offenders’ is typically targeted at smaller and/or less established firms.

Ignorance is not bliss

When it comes to compliance with data and marketing channel regulations, the root causes of non-compliance sits along a continuum that ranges from ignorance of to contempt for the rules. There is no excuse for either, of course, but it would be simplistic to dismiss all recipients of fines as out-and-out rogues or cowboys. As the travails of the charity sectors over the past year have shown, the best of us can be prone to falsely relying on what’s accepted practice by our peers and displaying business sector ‘group think’ when it comes to the treatment of personal data.

The fines are typically large – and the ‘marketing sectors’’ fines are significantly larger, on average than others’.

They are meant to convey a clear message and – in many cases, a death-blow – to miscreants. Although, like parking tickets, there is a discount (20%) if a fine is settled within a couple of weeks, six-figure penalties are unmanageable for most recipients. Analysis of the 17 ‘marketing sectors’ firms fined since March 2015 shows that 10 still appear to be trading, but business failure takes a little while to emerge via official sources. I think it’s a reasonable assumption that the majority will have closed with a year of being fined.

Of course, many of those 17 firms were far from commercial and ethical paragons. A number operate in innately unstable industries and many are run by individuals who are adept at tactically winding-up and artfully re-opening essentially unchanged enterprises. Unsurprisingly, the ICO – along with industry bodies like the Direct Marketing Association - is keen to see responsibility shift to individuals, not just companies, so that regulation in the direct marketing sphere develops the ‘teeth’ of the financial services sector.

So, how to stay safe?

If organisations with the resources of Hutchison 3G (i.e. 3 Mobile) and The Telegraph can break the rules so can you, if you’re not careful.

Reassuringly, help is out there:


Handily, the ICO updated its Guide to Direct Marketing, just last month. It’s surprisingly clear and provides some useful ‘real life’ examples:


And in the future
The DMA has created a dedicated area for all their General Data Protection Regulation (GDPR)-related content which will help you ensure not only that you’re compliant now, but allow you to be forearmed to remain so in future when the EU’s GDPR is reflected in national law. Go to www.dma.org.uk/gdpr

In addition, the DMA's a great source of information on regulatory and legal demands in the here and now (and members get free access to a dedicated legal team who can advise on specific questions and challenges).

So, keep up to date, check your assumptions, understand what best practice really is, ensure your colleagues are onboard and there'll be no need to be afraid.

Hear more from the DMA

Please login to comment.