So many reasons… But companies frequently just want to know what the regulatory sanction will be if they don’t.
And the Information Commissioner’s Office seems to be keen to show that it intends on keeping up momentum when it comes to enforcing the DPA.
The Data Protection Act 1998 has been in force now for some years, and yet I am surprised daily by the number of large businesses who do not have their “data” house in order. Maybe this is partly the fault of the lawyers for not standing their ground when it comes to compliance - it is very easy to dismiss minor breaches of the Act as low risk.
Well, perhaps no more.
Not only has the Ministry of Justice published the draft legislation making breach of s55 an offence which can attract a custodial sentence, the ICO has issued an annual report which promises to make it tougher for those organisations who do not seek to handle personal information well (and easier for those that do).
And putting its money where its mouth is, the ICO has required undertakings from two more organisations.
What is particularly surprising here is the nature of the breaches. Many organisations may currently believe that there will need to be a major leak of personal data or similar issue before complaints will be heard by the ICO, or that a minor breach would need to lead to significant damage to many individuals before it would be escalated above a slap on the wrist.
But no.
No more marketing please
The first breach involved an individual who found it difficult to stop one company sending her marketing communications.
Clearly, “unsubscribe” requests should always be honoured by companies and it is hard to see why this should slip through the net.
However, there is one aspect of dealing with “unsubscribe”s that I’ve found that many clients (and lawyers) struggle with.
When a request to cease sending marketing information to an individual is received, the organisation should not just remove that individual from their marketing database.
Why not? Well, this can cause problems later down the line. For example, what happens if the organisation later purchases (which I wouldn’t necessarily advise…) a marketing database which includes the details of this individual? They will have no way of knowing that that individual had asked not to receive marketing from them in the past.
Instead, the details of that individual should be suppressed - maintained on the database but clearly flagged as “no marketing”.
Secure systems
The second breach involved new employees sharing log-in details before they were set up on the IT system. Why does this matter? Because if employees gain access to customer details under a generic or shared log-in, there is no audit trail to follow - no way of telling who has dealt with the personal data at any particular time.
There was no suggestion here that any damage had been caused - but the data controller had not complied with the 7th principle - the obligation to keep personal data secure.
Only the beginning
OK, so being required to give an undertaking to the ICO might not be that severe a sanction; but I think we’re seeing a clear message from our friendly regulator. Where you are a large, consumer facing organisation, the ICO will react to complaints even if damage hasn’t been caused (yet), and even though the breaches may seem trivial. Why? Because these types of breaches could lead to problems in the future, and with the number of customers these organisations have, breaches need to be nipped in the bud.
It is all too easy to disregard data protection compliance, particularly when there is no immediate penalty for doing so. However, consumers are becoming much more aware of their rights, and I can only see the importance of protecting personal data and privacy growing as time goes on.
