The ICO seems to have turned their attention away from major consumer brand data breaches and towards smaller marketing and financial firms who knowingly misuse consumer data.
Announced by Andy Curry, the ICO’s Director of Investigation the ICO issues fines totalling 480k to four firms it found to be in breach of its data rules and the language used in the fines makes for interesting reading
- “didn't conduct any due diligence on its data supplier”
- “wasn't able to show any due diligence”
- “advised the ICO that its “opt in” data was obtained from 12 third party suppliers”
- “The ICO found ...it was relying on “good faith” alone with its purchased data”
The ICO were always going to get to grips with ‘data and lead’ sales and its recruitment of senior technology staff and the way its engaging with particularly the financial services sector means its becoming more knowledgeable.
Takeaway - What do you need to know?
The ICO are focusing on due diligence, and in particular the processes it expects to see from data buyers who work with lead generators and brokers of data. The language and highlighted quotes from the latest ICO enforcement noticed is the most stark and clear takeaway here.
If you acquire data to make outbound calls to, the ICO will expect you, the buyer, to know where its come from and what the consumer consented to. This shift in targeting individual firms that acquire data follows a very similar pattern of litigation to what we’ve seen in the US with the enforcement of the Telephone Consumer Protection Act (TCPA).
This article was part of February's edition of The Leader, Contact State's monthly newsletter which you can read here.