The Information Commissioner's Office (ICO) recently imposed a record £400,000 fine on communications company Keurboom. The fine was the result of a large-scale campaign of automated, unsolicited marketing calls. Keurboom Communications made nearly 100 million automated calls to people who had not given consent. Some of the calls were made at night. And some people received multiple calls on the same day. Many of the recipients of these calls were unsurprisingly distressed and upset by these calls, but it was not easy for people to identify the source of the calls or to make them stop. The automated calls that Keurboom bombarded people with related to non-existent PPI or accident claims, leading recipients to worry unnecessarily.
Keurboom Communications has since gone into liquidation, meaning that much of the fine may never be recovered by the ICO.
Future flouters of data laws will not escape so easily. The government has changed the rules so that future fines can be levied against directors personally. Multiple directors could be fined up to £500,000 each. The ICO hopes that this will stop the cycle of companies setting up to make a quick shilling by harassing the public, and then folding to avoid paying their fines.
One of the reasons for the record fine was the lack of consent sought before making millions of calls. Keurboom apparently made no effort to seek consent, or even direct their marketing to a suitable audience. The calls were indiscriminately made, and recipients had no easy method of opting out. Minister of State for Digital and Culture Matt Hancock said: "Nuisance callers are a blight on society, causing significant distress to elderly and vulnerable people. We have been clear that we will not stand for this continued harassment, and this latest amendment to the law will strike another blow to those businesses and company bosses responsible."
The rules on data use and consent are about to get tougher as the new General Data Protection Regulation (GDPR) comes into force on 28 May 2018. This EU legislation will not be affected by Brexit negotiations or decisions, so businesses must ensure that they are prepared for the new rules. Any organisation using customer data must have consent, and that consent must have been gained by clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Organisations must keep records of how and when consent was given. And people have the right to withdraw consent at any time.
Is your business ready for GDPR? Have you had to make any organisational changes – or implement any training – to prepare for the new legislation?