The Information Commissioner’s Office (ICO) Powers to Fine increase as a result of the GDPR and the DPA 2018 and the Privacy Electronic Communication Regulation will still also apply!
From 25th May 2018, the ICO can now impose civil penalties on a data controller. Currently there two tiers:
There are two tiers of administrative fines that can be imposed as penalties for GDPR non-compliance:
- Up to €10 million, or 2% annual global turnover – whichever is higher; or
- Up to €20 million, or 4% annual global turnover – whichever is higher.
ICO Fines Vote Leave Ltd – £40,000 for sending unsolicited texts
If you send unsolicited texts… think twice. The ICO fined Vote Leave £40,000 for sending 196,154 text messages promoting the aims of the Leave campaign. The majority of the texts had a link to Vote Leave’s website.
Vote Leave stated that they obtained the contact details of individuals as a result of individuals making initially enquiries through Vote Leave’s website. They also acquired the personal data of Individuals personal data as a result of individuals responding to Vote Leave’s promotions and football competitions. Vote Leave went on to state that they had deleted evidence of consent.
Steve Eckersley – Director of Investigations statement
“Spam texts are a real nuisance for millions of people and we will take action against organisations who disregard the law.
“Direct marketing is not just about selling products and services, it’s also about promoting an organisation’s aims and ideals.
“Political campaigns and parties, like any other organisations, have to comply with the law.”
ICO Fines PPI £120,000
The ICO has fined PPI because it sent unlawful spam texts about its services.
Hall and Hanley Ltd of Devonshire Street North, Manchester were responsible for sending the unlawful texts which amounted to 3,560,211. They related to direct marketing.
When will I be hit with the highest fines under the GDPR?
If the data controller does not comply with the key principles! This is one of the breaches which carries the highest fines under tier 1! If the data controller or the data processor do not comply with their respective obligations under the GDPR (and DPA 2018), this can carry a fine under the tier 2.
ICO – Power to fine Directors Under new amendments to Privacy Electronic Communications Regulation
The latest amendment to the PECR took effect on 17 December 2018. Directors as can now held accountable for fines of up to £500,000.
The PECR covers amongst others: electronic marketing, security, cookies. It outright prohibits businesses from sending electronic communications unless the individual’s consent is first obtained.
However, the organisation said that following the conclusion of the referendum campaign it had deleted evidence of the consent relied upon to send the messages. Also deleted were details of the phone numbers the messages were sent from, the volume of messages sent, and the volume of messages received.
ICO Fines BFL under PECR
The ICO fined Boost Finance Ltd (BFL) which was trading as findmeafuneralplan.com for sending 4,396,780 emails between the period of January to September 2017. BFL had failed to obtain the individuals’s consent had not been provided.
BFL relied on misleading methods to collect personal data to obtain consent. The ICO went on to state that the consent was not informed and as a result breached the PECR.
The ICO went on to state the importance of gaining ‘informed consent’. An individual must know what they are consenting to. Organisation should use simple clear language in order that the individual understands fully what they are consenting too. The ICO made it clear such information should not be hidden in a privacy notice in tiny print!
GDPR Free Compliance Webinar: https://gdprcomply.net/register
GDPR Online Courses: https://gdpr-comply.com/online/
