GDPR

by Laura Spencer Laura Spencer No Comments

Experian Discredited: ICO Investigation

Picture this – you are looking to buy your first house – you get your credit score checked by Experian  – you have heard of them, maybe seen some advertising on TV,  and so you go ahead. Little would you think about what Experian may be doing with your data without your knowledge/consent because there are regulations that they must follow – surely?

Experian and other credit reference agencies collect and process vast amounts of personal data in order to carry out credit checks as well as parts of their other services; ‘We gather, analyse, combine and process it to help people and organisations achieve their goals’. Yet does this mean that you as a consumer are intending for your personal information to be traded, enriched and enhanced without your knowledge or consent for marketing purposes?

The answer, more often than not, is no.

You most likely do not want the company sharing your information with third parties purely for their own marketing gain, even more so without your consent to boot.

This processing of your personal data by Experian resulted in products which were used by commercial organisations such as political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.  The UK Data Protection Regulator , the Information Commissioners Office (“ICO”) found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. ‘Invisible’ because the individual data subject is not aware that the organisation is collecting and using their personal data. This is against data protection law.

The Data Protection Act (DPA) and General Data Protection Regulation (GDPR) initiated a new approach to personal data and the transference of such data. It had 7 main aims/principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

These aimed to guide and regulate organisations to allow for individuals to have greater access to their data and to be able to understand what companies could and could not do with it.

Experian, failed to be transparent – outlined under Article 5 GDPR; this is because they were using ‘invisible’ processing of personal data and therefore were not being clear to data subjects, as to what their personal data was really being used for. g. The regulator found that personal data provided to Experian, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.

The ICO ordered Experian to make fundamental changes to how it handles people’s personal data within its direct marketing services. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover. The enforcement notice followed a two-year investigation by the ICO into how Experian used personal data within their data brokering businesses for direct marketing purposes. The ICO’s notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal. The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. In the enforcement notice, the ICO states that people have no choice about whether their data is shared with Experian for credit referencing purposes and that Experian’s processing of this data for marketing purposes is unexpected.

At the same time that the ICO were investigating Experian, other credit reference agencies (CRA) were being investigated for similar reasons, only along with transparency some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive. It is not revealed in the report as to whether Experian were also using profiling within their processing. This highlights the potential need for further regulating of these providers to ensure that there is compliance at all times in regards to both UK GDPR as well as the UK Data Protection Act (DPA). Similarly investigations such as this open consumer eyes as to what goes on ‘behind closed doors’ of companies in regards to their data and how it is used. Outgoing UK Information Commissioner Elizabeth Denham has remarked: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

It is safe to say that certain reports and investigations that your data is being used for purposes that you did not consent to will have had an impact on the company itself – with its reputation severely tarnished.

by Laura Spencer Laura Spencer No Comments

Marketing Consent Crisis

We have all been there, scrolling through the endless marketing spam in our inbox – most of the time not even taking any notice on what we are deleting. Throughout the pandemic organisations have also turned to SMS in order to market their business – equally buying and selling personal data illegally in order to find a new customer bases.

Under the General Data Protection Regulation (‘GDPR’) Article 6 specifies that there has to be a legal basis for processing the data – the article also outlines 6 basis that make the processing legal. These are: 

  1. Consent: the individual has given clear specific informed consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Where organisations are using personal data to send unsolicited marketing emails and messages they may be doing this without consent which therefore breaking the law. Not to mention that these are often annoying and frustrating!

Why is a Legal Basis Necessary?

The first principle of GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

However the UK Data Protection Regulator  the Information Commissioner’s Office (‘ICO’) throughout the pandemic have been having to enforce more and more cases of non-compliance in organisations. For example the ICO reported on the 5th March 2021 they fined two separate companies that sent nuisance text messages during the Covid-19 pandemic have been fined a total of £330,000 by the ICO. Messages from one of the companies prompted a record 10,000 complaints.

The companies in question were Leads Works Ltd and Valca Vehicle Ltd. The ICO fined West Sussex-based Leads Works Ltd £250,000 for sending more than 2.6 million nuisance text messages to customers without their valid consent. These messages, that were sent between 16 May and 26 June 2020, resulted in over 10,000 complaints, the company have also been issued with an enforcement notice by the ICO, ordering it to stop sending unlawful direct marketing messages.

Examples of the text messages include:

“In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” The ICO’s investigation found Avon did not send or instigate the text messages.

Valca Vehicles Ltd, following complaints from the public to the ICO, the company was found to have sent more than 95,000 text messages from June to July 2020 without the recipients’ permission. The messages referenced the pandemic and were designed to appeal to individuals whose finances have been adversely affected. This, in the Commissioner’s view, was a clear attempt to capitalise on, and profiteer from, the health crisis.

Examples of the text messages:

“*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org”. The company, which is currently operating as ‘Debtquity’ to generate leads for debt management products, has also been issued with an enforcement notice by the ICO, ordering them to stop sending the messages.

A Post Pandemic World…

The future, although uncertain, will involve businesses trying to recuperate what was lost to the pandemic – rebuilding and reimagining marketing. However, it is important to note that despite the fact we have been living in unprecedented times, the UK GDPR as implemented through the UK Data Protection Act (‘DPA’) still has to be followed in order for business to operate legally.

So is buying contacts and sending marketing emails and sms texts impossible under GDPR?

NO – this can still be done but it has to be done in a manner consistent with GDPR. An organisation can purchase personal data such as emails or phone numbers and used them for marketing PROVIDED you can demonstrate compliance with one of the 6 bases named above. Poor value data vendors are continuing with the same poor practices that were actually illegal under the pre – GDPR data protection laws, let alone now. Good vendors are providing due diligence documents demonstrating legal basis, and providing the purchaser with evidence to demonstrate compliance, such as records of consent, showing how and when it was given and for what purpose. Any reputable vendor would be easily able to provide this information on request, so the onus falls on the organisation buying the data and doing the marketing – don’t forget your GDPR due dilligence.  

*Spam texts and emails, as well as nuisance calls can be reported through the ICO’s website at ico.org.uk/concerns. Mobile phone users can also report spam texts to the GSMA Spam Reporting Service by forwarding the message to 7726.

by Laura Spencer Laura Spencer No Comments

Schrems II: Privacy Shield Down – The future of international data transfers with the US

Dr. Heather Anson chaired a discussion on Wednesday 12 August at 1pm BST regarding the recent European court decision that struck down the EU-US privacy shield, the main data sharing agreement allowing the storage of personal data of EU citizens in the US where the majority of the worlds cloud storage infrastructure is held.

Heather Anson was joined by Peter Wright, managing director of Digital Law, Jennifer Baker, Brussels based technology journalist, and Anna Drozd, specialist on EU law on Privacy and data protection based in the Brussels office of the Law Society of England and Wales, and covered topics such as:

  • The implications of this decision on data sharing between Europe and the US,
  • The use of Standard Contractual Clauses in contracts to facilitate international data transfers,
  • The use of Binding Corporate Rules,
  • The implications for businesses based in the UK, Europe and elsewhere who wish to trade in the European digital single market,
  • The likely implications of Brexit on international data transfers to and from the UK,

and more.

Don’t worry if you missed it, the webinar was recorded and is now available on demand by clicking on the link below.

by Laura Spencer Laura Spencer No Comments

5 Tips for more Secure Remote Working

For some people who run their own businesses or those who’s employers promote flexibility in the workplace, remote working may be the norm. However, for a large majority of the population this whole “working from home” situation is completely new! Whilst working from home is essential during this difficult and unprecedented time, it doesn’t come without its risks.

Read more

by Laura Spencer Laura Spencer No Comments

Clio Online Webinar Series – Remote Working

Unfortunately this years LegalEx event was postponed due to Corvid-19. As you may have heard, Peter Wright, the managing director of Digital Law and consultant for Anson Evaluate, was due to speak at the event alongside many other valued speakers.

Luckily for you, you don’t have to miss out completely. Not only has the event been rescheduled, but our friends over at Clio set up a mini webinar series that took part over 2 days last week. On the 2nd day of the series Peter Wright participated in a webinar focused around remote working alongside Joe Walsh, a remote working specialist from LogMeIn.

Don’t worry you if you didn’t manage to watch it live, you can view a recorded version of the webinar here:

https://landing.clio.com/clio-online-seminar-series-2.html?utm_source=internal&utm_medium=email&utm_campaign=legalex-seminars-2020&utm_content=noshow

by Laura Spencer Laura Spencer No Comments

1 Year Anniversary of the GDPR

With the 25th of May fast approaching, it’s been almost a year since the General Data Protection Regulation (“GDPR”) came into force throughout the European Union (“EU”). In celebration, we are offering £100 off our GDPR Compliance Manual for Law Firms.

Read more

by Laura Spencer Laura Spencer No Comments

Data Protection Officer Service

Under the European General Data Protection Regulation (“GDPR”), for some organisations it is a mandatory requirement to have a Data Protection Officer (“DPO”), whether this is in-house or outsourced. However, mandatory or not, a DPO can still be beneficial to all firms who need guidance and support to ensure compliance with GDPR.

Read more

Top