This week saw a couple of reports of decisions in the sphere of bulk data processing, handed down by data protection authorities in the UK and Poland. The reactions have only served to underscore the continuing confusion and uncertainty that persists in connection with GDPR compliance in the marketing sphere.
In the UK, as reported below, a pension transfer company was fined £40,000 by the ICO after a bulk e-mail campaign which involved sending in excess of 1.9 million emails to recipients without their consent. Note that this was a fine imposed under the pre-GDPR regime, and could well have been significantly higher for breaches after May 2018. The company received the fine despite having apparently obtained guidance on its plans from a data protection consultancy, and having had that approved by a lawyer. The ICO made the point that their guidance on this area is comprehensive and that the decision applied legislation which had been in place since 2003.
Meanwhile in Poland a company which had amassed a collection of over 7,000,000 records fell foul of the provisions of Article 14 of the GDPR, another poorly understood provision. This Article governs the information which is to be provided when controllers get their hands on data other than directly from the data subjects in question. In short, what is required in the majority of circumstances is that the controller communicates with the data subject within (at most) a month of receiving the records, or in any case no later than when the records are used or passed on to a third party, to convey similar information to what would normally have to be provided in a privacy notice.
This decision, too, seems to have sparked concern. In particular, a range of businesses have operating models that rely on the ability to collect information that is in the public domain, aggregate it and then sell it on for a profit. These businesses have (generally) proceeded on the assumption that they could rely on an exemption to the requirements of article 14 GDPR, a provision which excuses compliance where it is impossible to provide the information, or where compliance would entail disproportionate effort.
How much effort is disproportionate? Guidance published by the Article 29 working party, a predecessor body to the European Data Protection Board, had suggested that the volume of communications required might in some circumstances justify the conclusion that the effort would be disproportionate. But the Polish data protection authority's conclusion was that something more was required in this case. Even though in excess of 6 million individuals would need to be written to by post and a further 180,000 or so would need to be sent text messages, this was a cost that the company would have to bear if it wished to continue to do business. In addition to requiring these communications to be sent within 3 months of the decision, the authority also imposed a fine of nearly £200,000.
This may seem to be draconian. But it is important to remember that this company's business model involves exploiting these records for commercial gain - a factor which clearly had a significant impact on the conclusions of the Polish data protection authority. It is also important to bear in mind that if, as it should have done, the business had communicated with data subjects as it added their records to its database, the cost associated could have been much more readily absorbed into its operating costs.
Both decisions serve to underline an important point: too many businesses continue to operate on an assumption that they are free to make money without worrying about data protection compliance. This is seldom the case, particularly when personal data is being processed for commercial gain. Any company in this position would be well advised to reconsider the assumptions on which they have been proceeding. It is perfectly possible to continue to operate with large data sets, but doing so without due regard for the rights and interests of data subjects is no longer being tolerated.
Move with the times, because Elvis has well and truly left the building.
A Kent-based pension transfer company has been fined £40,000 by the Information Commissioner's Office after sending almost two million direct marketing emails to people without their consent. According to the ICO, Grove Pension Solutions sent these emails in 2016 and 2017 as part of a marketing campaign. The company had sought specialist advice from a data protection consultancy as well as independent legal advice about the use of hosted marketing.