As 2015 draws to a close, the UK’s Data Protection Regulator, the Information Commissioner’s Office (‘ICO’), is making sure it ends the year with a bang. The past few months have seen a significant increase in enforcement action, a theme which seems to be common for the regulator at this time of year because of the rise in shopping and promotional activities.
A key area of focus for the ICO has been to crack down on nuisance calls and inappropriate data-sharing practices through ‘Operation HIDA’.
On 22 November, the regulator wrote to more than 1,000 businesses in the UK asking for information on their data-sharing practices. The 15-point questionnaire includes questions on how the business complies with the law, what data is shared and how consent is obtained. Targeted businesses have also been asked to provide a list of all companies they have worked with in the past six months, suggesting that more businesses will fall under the ICO’s microscope in the new year.
Businesses that have received the letter have 21 days to respond. Failure to do so could see the issue of Information Notices, which legally compels the business to provide the requested information or otherwise face court action.
The ICO has also published a reminder of the dangers of using third-party marketing lists, an issue that was highlighted in the recent Optical Express case. The blog, which is accompanied by a short video, reminds organisations of their responsibilities under the Privacy and Communications Regulation 2003 and emphasises that it is the organisation undertaking the direct marketing activities that must satisfy itself that appropriate consent has been obtained. The ICO recommends that organisations carry out due diligence and cross check with the TPS when buying third-party marketing lists; otherwise they could face heavy fines. In the UK, the ICO can fine up to £500,000 data protection breaches.