27 July, 2018
With the advent of GDPR and its marked increase in responsibilities and potential sanctions, the importance of responding quickly to data breaches and cooperating with the Information Commissioner's Office (ICO) has never been higher.
This was exemplified by on 23rd June 2018, when Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. As soon as the malicious software was discovered, Ticketmaster disabled the Inbenta product across all their websites although some of Ticketmaster's customers' personal or payment information may have been accessed by unknown third-parties.
Ticketmaster is working with ICO, as well as credit card companies, banks and relevant authorities in order to contain the breach and best protect customer's data, a process all organisations should follow upon discovery of a data breach.
Earlier this month, an ICO spokesperson confirmed that "organisations have a legal duty to ensure that people's personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts".As GDPR has grabbed the headlines recently and rightfully driven forwards the importance of dealing with personal data, other regulations such as the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (PECR) remain in force and must still be complied with. On 18 June 2018 the ICO fined Our Vault Limited (OVL) £70,000 for making a total of 149,777 unsolicited calls for direct marketing purposes to subscribers, of which 55,534 had been registered with the Telephone Preference Service (TPS) for more than 28 days, between 1 March and 16 June 2016.
Following an investigation by the ICO, OVL conceded that over a four-year period its dialler made over 30 million marketing calls and these calls were not screened against the TPS register once uploaded to the dialler. The ICO also found that based on the 149,777 calls made over the 3.5-month period, an average 37% were registered with the TPS for more than 28 days.
OVL continued to make repeated calls to subscribers even though they had registered with the TPS and/or informed OVL that they did not wish to receive calls. This was a breach of section 55A of the Data Protection Act 1998 for contravention of regulation 22 of the PECR.
Whilst PECR is due to be replaced by the even tougher E-Privacy Regulations at some point in the future (watch this space), it still remains in force and as seen in the case of OVL, ignoring the laws regarding marketing can lead to serious repercussions.
These fines reinforce the serious consequences of data breaches private companies, charities as well as governmental organisations. As the breaches occurred under the Data Protection Act 1998 the fines were capped at a maximum of £500,000, however under the new Data Protection Act 2018 this cap has been raised to €20,000,000 or 4% of an organisation's annual turnover.
Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with the DPA, PECR and preparing for the GDPR and ePrivacy Regulation including providing training. We offer a range of fixed fee Data Protection support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to reduce the penalty given. If you have any questions, please contact me on 01254 222451 or at firstname.lastname@example.org.