Massive fines for GDPR breaches? ICO will use powers proportionately and judiciously

In a recent blog post, the Information Commissioner, Elizabeth Denham has dispelled some myths about the forthcoming GDPR legislation.

Scaremongering in the media has led some businesses to feel fearful of the maximum £17 million or 4% of turnover penalties allowed under the new law.  It has also been falsely reported that these increased fines will help fund the work of the ICO.

Denham comments “If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.”

She adds “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

For the ICO, issuing fines has always been and will continue to be, a last resort. In 2016/2017 they concluded 17,300 cases and only 16 of them resulted in fines for the organisations concerned.

Read Elizabeth Denham’s blog post >>

How new EU new privacy legislation affects email marketers

There is new legislation arriving in 2018 which affects anyone who carries out email marketing. 

EU legislationThe General Data Protection Regulation (GDPR) is the EU’s new privacy law and it’s due to be enacted on 25th May 2018.  Its aim is to bring uniformity to a plethora of different legislation across all member states, and to replace the Data Protection Act and the Privacy & Electronic Communications Regulations (PECR) which are no longer fit for purpose.

GDPR will affect every company that uses personal data from EU citizens. If you collect email addresses and send marketing emails to subscribers in the EU, you’ll have to comply with GDPR — no matter where you’re based.

Penalties are due to increase significantly up to a maximum of €20 million or 4% of global annual turnover.

The key points are:

1. New subscribers will need to affirm that they want to opt in.

This affirmation must be via a dedicated subscription form, or via an unticked check box in situations where you’re collecting data for other reasons, such as order processing or membership applications. Pre-ticked boxes or “Tick here to opt out” will not be permitted.

2. You will need to tell subscribers how their data will be used.

For example, if they give you their email address to download a free article you must tell them if you plan to use that email address for marketing purposes and give them the option to opt into this.

3. You will need to keep a record of consent.

For example, if you use a provider such as Campaign Monitor they will store details of how and when a recipient subscribed along with their IP address. It is not clear at the moment whether such information will be sufficient. I’ll monitor how this will need to work in the coming months.

4. The following commonly adopted scenarios will no longer apply.

(i) An existing business relationship will no longer imply consent. For example, where you have an existing database of customers and suppliers and you use that for email marketing.
(ii) The current soft opt-in where you can email people if there is an existing business relationship.

[UPDATE 06.09.17] There is however a “legitimate interests for processing” test which means in some cases it might be possible to continue emailing a subscriber without the above in place. The Information Commissioners Office (ICO) is due to issue guidance on this towards the end of 2017. Read more from the DMA >>

5. You will need to get your existing data up to GDPR standards.

If you can’t provide sufficient proof of consent for existing subscribers, you won’t be allowed to contact them anymore. You will need to run a re-permissioning campaign.  This includes subscribers you have added using soft opt-in.

What next?

I’ll be working with all existing Expertise on Tap clients to ensure they are compliant when the new legislation comes into force. If you are not a client and need help running a re-permissioning campaign do let me know.

There are other aspects to GDPR in addition to email marketing. There’s more information here from the ICO.

The above content should not be used as a substitute for professional legal advice.

Watch this video I produced for Cheltenham Chamber of Commerce. Matthew Clayton from Willans LLP talks about GDPR and how it will affect businesses.