Posted by: Mike Clarke
On 17th December 2018 a change was made to Regulation 2 of the Privacy and Electronic Communications Regulations (PECR). This added the text below to the existing regulation:
(3B) If a monetary penalty notice has been served under this section on a body, the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—
(a)took place with the consent or connivance of the officer, or
(b)was attributable to any neglect on the part of the officer.
(3C) In subsection (3B)—
“body” means a body corporate or a Scottish partnership;
“officer” in relation to a body means—
- in relation to a body corporate—
- a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or
(ii) where the affairs of the body are managed by its members, a member; or
- in relation to a Scottish partnership, a partner or any person purporting to act as a partner.
What this change does is it gives the ICO the power to issue financial penalties not just on the company responsible for making them, but against the management team of the business as well. They made redactions to other sections which had the effect of extending the £500,000 cap from being per business to per person. This means that they now hold the power to fine both the business and its directors and management team fines of £500,000 each if they see fit to do so.
Though to date the ICO have not pursued both simultaneously, thus far they have pursued the corporate entity first, then if they fail to secure a settlement, they have forced the corporation to dissolve and levied the charges on directors. This is a massive change to the risks involved in running a business that fails to follow the rules related to direct marketing and electronic communications. Part of the philosophy behind limited companies existing is that the owner’s liability is indeed limited. Removing this protection means that not just the directors, but the management team of businesses that conduct direct marketing of any sort should pay very close attention. Failure or negligence to follow the rules can now result in lifechanging financial penalties.
How has this been enforced to date?
Among other things, the ICO is focused on clamping down on companies ignoring electronic marketing laws and breaching data protection regulations. The ICO aims to ensure personal data is kept secure and is used with the consent of the individual concerned. We don’t need to look hard to see examples of companies who have breached such regulations and understand why action was taken.
Whilst these regulations serve to reduce the inconvenience of billions of spam emails, texts and calls, a substantial part of their remit is to protect the vulnerable in society from being misled or abused. It’s easy to imagine how someone could be taken advantage of when the person on the other end of the line has so much of your information and sounds like they are just trying to help or provide a service.
Since November 2018, there have been 56 monetary penalties issued, 24 enforcement notifications and a single prosecution by the ICO. For large companies many of these penalties will be a proverbial slap on the wrist. The most recent example involving Virgin Media Limited, which was fined £50,000 for sending 451,627 direct marketing emails to people who had not given consent. As this represents just 0.00001% of Virgin Media’s £5 billion annual revenue, this doesn’t feel like much of a deterrent for companies of that scale.
The ICO has been open in that they are struggling to collect many of these penalties, citing the pandemic as a reason. Fines have still been issued however, though the ICO continues to offer money off for swift payment and an agreement to waive your right of appeal. For example, Your Home Improvement Ltd was fined £20,000 but advised that if they paid early, the figure would be reduced to £16,000 dependent on the company waiving its right to appeal.
The size of the penalties varies dramatically, with GDPR breaches exposing you to penalties potentially in the millions. The best way to avoid the risk, or at the very least reduce the impact should you fall short, is to follow the guidance, operate within the regulations, and make sure you remain informed of any changes.
What happens if the company can’t pay the fine?
Not all the penalties are of similar proportions to the one issued to Virgin Media however. Sometimes the penalties can be more than the company is worth. In this scenario, before 2019, the company would often dissolve, with the less scrupulous ones then reopening under a new name with the same management team, office space and staff. The changes to the regulations are a direct response to this tactic as it didn’t solve anything, and the ICO pushed the government to give them the power they needed to go after the individuals involved themselves. In this new world, if a company’s directors attempted to avoid paying the penalties they were now able to apply the penalty to the directors themselves.
It’s worth noting that companies providing auto-dialler technology or outsourced call centre services have never been fined or penalized for non-compliance. This applies even if the company using their services was unaware that the product or service was non-compliant. The burden of compliance and penalties for failure always stops with the company on whose behalf the calls are being made or messages being sent. This meant that when fines could only be applied to a company it was inconvenient but relatively straightforward for the directors of a company that had been misled to shut down the company and start another one, lesson learned. Now that those fines can be levied against the directors themselves, the penalty for using non-compliant call centre software or marketing services is a very different beast.
Since the adjustment to the rules, 27 directors have so far been disqualified from holding a directorship for over a combined total of 165 years and are also liable for £3.8 million in penalties.
To be clear, with the exception of prosecution for illegally obtaining and then selling personal information, the ICO has not yet directly targeted directors as a first action. They are first issuing penalties to the company and if the company makes payment and changes how they operate, they move on without taking things further. If the company enters a payment plan and changes how they operate, the ICO also moves on. The only instances where the ICO has switched to targeting a director is if the director has attempted to avoid the fine by changing directorship of the company to a new person or dissolving the company.
How to stay safe?
At Greenlight, we believe that outbound marketing still holds a lot of value. Provided you operate within the bounds of the law, this still presents an opportunity to grow your business exponentially. However, there are many call centre technology solutions out there, most based on open-source dialler technologies, that achieve agent productivity at the cost of compliance. Now that fines can be applied to the people whose businesses use these technologies, this now poses a real risk to those using such solutions unaware of what their inexpensive dialler could cost them.
At Greenlight we have always done everything we can to ensure the solutions that we provide do everything possible to keep our customers on the right side of the law. We appreciate the level of trust our clients place in us and accept this responsibility by remaining continuously up to date on the latest regulations and ensure we always provide a safe solution. As we’ve done this since day one, and because all our technology has been built in-house, we’ve ensured that we can provide the maximum productivity possible while staying well within all regulations that apply.
The ICO penalties and the substantial risks that follow are daunting. The documentation they release is very wordy and sometimes hard to follow. We have a 16-point checklist that you can follow to help ensure you operate in a compliant way.
Remember, as the business owner, director or manager, you are responsible for how your business operates. You need to ensure you have processes to identify and rectify any shortfalls early. You need to guarantee any technologies or outsourced providers you engage also work within these regulations, ultimately, you could be the one that ends up in the ICO’s sights.