If you are a technology service provider and have been taking notice of GDPR (the EU’s General Data Protection Regulation) and the new Data Protection Bill making its way through Parliament, then you will be aware that there are changes in the offing. One of those that is likely to be particularly relevant if you handle or process your client’s data or the data they hold on their customers, is the changed status of data processors and data controllers. Currently, there’s a very clear difference between the two. As a data processor, the “my client told me to do it” defence isn’t quite water-tight, but in most cases it will keep you out of trouble.
It won’t do so in future, though. GDPR puts a lot more onus on data processors to be confident that the data they are handling is being used appropriately and compliantly.
So, just something to address from 26th May 2018 onwards, then? I think not.
There are a lot of half-truths and exaggerated predictions out there about GDPR / the 2018 Data Protection Act, but you can get a decent idea of how the ICO (Information Commissioner’s Office, the UK data protection regulator) is likely to behave in future by looking at what it’s doing right now. (e.g. www.linkedin.com/pulse/honda-flybe-83000-information-commissioners-office-3-steve-sullivan/)
Most months the ICO will take enforcement action on a handful of organisations active in the customer acquisition and direct marketing space. Unsurprisingly, most – but not all – tend to be smaller generators and users of third party data and their second and third-tier brand clients. Typically companies you’ve not heard of being fined for doing silly things.
In October the ICO fined The Lead Experts Limited £70,000 for making 111,072 automated calls (that is, pre-recorded ‘robot calls’) to consumers in the space of 2 days in May 2016. The calls did not identify who was responsible and there was no indication of the recipients having given their consent to being marketed to in that way. Fines related to the use of automated marketing calls are still relatively rare (despite there being a big cause of consumer frustration), but there’s not much exceptional about this case. Except in one respect.
The ICO’s detailed Enforcement Notice explains that they started investigating in response to consumer complaints about The Lead Experts’ calls promoting energy switching. In order to track down the (anonymous) caller, the ICO identified the calls were being made via a third party platform provided by Easy Contact Now (www.easycontactnow.com – DXI as was, part of 8x8 www.8x8.com) and served Easy Contact Now with a Third Party Information Notice. The notice required them to reveal who their client was, which they duly did.
So, what might the ICO do when investigating a similar case after 25th May next year? My guess is that on the basis of the changed definitions and respective liabilities of Data Controllers and Data Processors under GDPR / the new DPA, then they may start to ask service providers like Easy Contact Now challenging questions like:
• Had they assured themselves that The Lead Experts had consent for automated marketing calls?
• Did their client contracts reflect this?
The Lead Experts looks like it is in the process of being wound up – though the ICO has said it will pursue them through insolvency practitioners and liquidators if it does fold, as they’d like the fine paid because Mr Hammond needs the money. Easy Contact Now is, of course, still with us. And I’m sure they do a good job for their clients. But if they’re not already thinking long and hard about the implications of GDPR and the Data Protection Bill on their business then I think they should.
And if you provide technology services to clients using their customer or prospect data, so should you.
*These notices are nothing new and have been around for a few years, now: www.ico.org.uk/media/about-the-ico/policies-and-procedures/2777/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf