Last week saw the Information Commissioner’s Office (ICO) fine financial firm Intelligent Lending, trading as Ocean Finance, £130,000.
Based in Manchester, Ocean Finance sent more than seven million texts of which 4.5 million were successfully delivered, offering a new credit card powered by major lender Capital One.
Ocean Finance said it believed it was complying with the law when they sent out the text messages, because the third party firm it had obtained the recipients’ details from claimed it had gained their consent to send texts.
An investigation by the ICO found the “consent” that had actually ben obtained to be “insufficient to meet the requirements of the law.” Steve Eckersley, Head of Enforcement at ICO commented, “Company bosses everywhere should sit up and take note of this fine and check their practices are compliant with the law before embarking on marketing campaigns.” He went on to say, “It’s your responsibility to make rigorous checks to ensure personal data has been obtained fairly and lawfully. It is not enough to rely on a third party.”
Not only were Ocean Finance fined £130,000, they were also ordered to stop sending texts immediately via an enforcement notice.
Lessons to be learned
The moral of the story is a two stage level of protection:
- Have a written agreement in place with the third party supplying the information with appropriate warranties and indemnities around the fact the individuals have given valid legal consent for their details to be passed on which gives you a right of recourse if there is an issue (making sure the contracting party can meet any liability under the indemnities and warranties from a covenant point of view)….but don’t simply rely on this without doing stage 2 as well
- Carrying out appropriate due diligence on the data to be obtained to make sure that appropriate consent has been given for the company acquiring the data to use it as it envisage.
Simply relying on stage 1, as many organisations do, is a risky approach. The person proposing to use the data needs to make sure they carry out appropriate due diligence on the data to be purchased to make sure all appropriate consents have been legally obtained in compliance with the relevant legislation. Pleading ignorance or assurances obtained from a third party is no longer acceptable and could prove to be both a costly and reputational/brand damaging high risk approach.
For further advice on Data Protection compliance and the implications for your business, please get in touch with Christian Mancier, Corporate/Commercial Partner (and Gorvins Data Protection Officer) via christian.mancier@gorvins.com. If you prefer to give Christian a call you can do on 0161 930 5151.