ICO Action Review: Q1 2022

Posted by: Mike Clarke

For this post we have taken an in-depth look at the ICO penalties issued so far this year, comparing the penalties to those issued in Q1 last year to see what trends we can see. This is all done with the goal of enabling you to move forward with a renewed perspective on what the ICO are looking for in order to reduce the risk of running into any penalties yourself in the future.

Q1 2021 / 2022 Overview

If you were to look at the penalty notices issued by the ICO in the first quarter of last year compared to the same period this year, you would notice multiple similarities. The same regulations are breached and the same number of monetary penalties are issued. The critical difference seems to be that this year the fines are lower by an average of 30%.

Looking at the penalties in more detail, it appears that it’s not the scale of the breach that is contributing to this reduction, but the commissioner’s view on whether the breach has been intentional or not.

As always, penalties were still issued to the companies that claimed to have been unaware of the rules they were breaking. Relying on ignorance as an explanation has never excused any regulatory breaches and the businesses in question are still seen to have profited by failing to follow the regulations. Companies that have shown remorse and implemented process changes however have seen consistently lower penalties than those who have not. This seems to indicate that the ICO is looking to support companies who wish to behave responsibly.

Upon looking closely at the year-on-year figures, the ICO is continuing to act in a consistent manner. The difference is more companies being reported are, on investigation, seen to at least be attempting to adhere to the rules than in previous years. This may be at least partly attributable to the change in rules from the tail end of 2018 that means unpaid fines can be applied to company directors personally instead.

Enforcement This Year

Smaller penalties

The smaller fines so far this year have been issued to companies that have been negligent but have then taken all necessary steps to comply with the ICO’s investigation including putting new processes in place to avoid further breaches. Energy Suite and Seaview Brokers had failed to check purchased data against the TPS list, leading to a breach. The Money Hive used an unclear form that the commissioner felt misled customers to opt-in to marketing. Finally, the Royal Mail Group’s fine was due to a breach attributed to human error.

Once the commission began its investigations, all the above parties responded by showing remorse and agreeing to implement new processes to avoid a repeat of the breach in future.

More significant penalties

Of the more substantial penalties issued in the first three months of this year, Tempcover is unlike the others on this list. It had expansive internal policies that should have prevented a breach, but the company was failing to adhere to its own internal rules. This led to a more severe fine than those mentioned above as they demonstrated they understood what the regulations required of them were and then failed to behave appropriately.

Tuckers Solicitors may have made it onto the smaller penalties list as well as their fine was due to simple negligence. The penalty was issued due to a GDPR breach caused by a failure to implement suitable security measures and it appears to have been the scale of the breach that led to a higher fine being issued.

Domestic Support, UK Appliance Cover, Home Sure Solutions and UK Platinum Home Care Services were penalised more severely due to the intent behind their actions. They specifically targeted vulnerable age groups as well as ignoring TPS regulations and deploying predatory marketing techniques. With the exception of UK Platinum Home Care Services, these companies also failed to comply with the commissioner’s investigations.

The final, and by far the largest fine of the year so far is Home2Sense. They not only were found to have acted with an intent to breach the regulations for monetary gain, they also failed to comply with the commissioner’s investigation and continued to breach the regulations despite contact from the commissioner.

How to Minimise a Fine From the ICO

This breakdown of penalties gives us a good insight into how the ICO is currently responding to complaints. The key indictors appear to be the intent behind the company’s actions that led to the breach. If you are acting with intent to take advantage of vulnerable people or actively trying to subvert the regulations you will see substantially higher penalties.

If you are attempting to follow the guidance and have implemented processes to ensure your organisation is compliant then in the event you make an error that leads to an investigation the ICO will treat you with leniency. However, if you put processes in place to ensure that regulations are adhered to and then systematically fail to follow them, it would appear you can expect a more severe fine than if you had no processes in place at all.

To summarise, the key lessons from the fines issued this year aren’t surprising, but are still worth reviewing:

• TPS check all data records used for telemarketing that you do not have a specific opt-in for at least every 28 days, regardless of whether your supplier has already done so.
• When creating a marketing list and creating a sales script, make sure they pass the “smell test”. If there’s any element of your marketing strategy that you wouldn’t want to become public knowledge, you probably shouldn’t be using it.
• If using online forms to gain opt-in consent, make sure these follow all guidelines set out in the PECR and don’t default to opting people in.
• Take the security of your business seriously and invest appropriately in technology and expertise to ensure that any data you are holding is protected.
• If you’ve put policies in place inside your organisation to ensure that the ICO’s guidelines are followed, make sure they are then trained out to all staff and adhered to.
• If you do find yourself on the receiving end of an ICO investigation, be sure to comply with all requests for information within the timeframes given.

Which Regulations are Being Enforced Most Often?

One of the key reasons behind the Privacy and Electronic Communications Regulations is to protect consumers from unfair marketing practices. The most common regulations noted within the enforcement notices issued by the ICO are Regulation 21 and Regulations 24.

The regulations surrounding marketing can be complex and span multiple interlocking regulations. For a full list of current regulations, we previously authored an article on 16 Checks to Keep Your Call Centre Ofcom Compliant.

We keep a close eye on the regulations and if there are any notable changes introduced, we will provide an update in a future blog post.

Stay Informed

At the start of this year, we saw the appointment of John Edwards as the new UK Information Commissioner. This led to speculation about how the ICO would continue to operate moving forward.

Towards the end of January, Mr Edwards announced a major listening exercise. During his statement, he acknowledged the UK's historic yet evolving relationship with privacy, not just in terms of data. He was keen to engage with industry representatives to learn more about their experiences and how the ICO could help them achieve their objectives under the legislation.

The UK Government is currently reviewing the data regulations across the UK, and this listening exercise coincides with this review. The ICO expects to announce its new three-year plan, ICO25, at its flagship data protection conference (DCP2022). The current three-year plan runs until the close of 2022.

We will continue to stay up to date on the latest guidance from the ICO and post them here on our website to help keep you informed.