In a reminder to organisations that contacting customers without obtaining their consent or spamming them with promotional offers could attract regulatory fines, the Information Commissioner's Office has fined a Kent pensions company £40,000 for sending nearly two million direct marketing emails without consent.
These emails were sent by Grove Pensions Solutions Ltd between 31 October 2016 and 31 October 2017 using third party email providers to advertise its services. Since the promotional emails were targeted at customers who did not consent to receive such emails, the ICO fined the company under the Privacy and Electronic Communications Regulations (PECR) that authorises it to impose a monetary penalty of up to £500,000.
Pensions company received incorrect data protection advise
According to the ICO, the fine has been imposed even though Grove Pensions Solutions Ltd did, in fact, seek advise from a data protection consultancy as well as independent legal advice about the use of hosted marketing for promotional activities. However, the the advice proved to be inaccurate and resulted in the company breaching data protection laws.
"We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it. The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine," Andy White, Director of Investigations and Intelligence at the ICO.
"The law says that organisations cannot generally send marketing emails unless the recipient has given them their consent to receive them. This applies equally to organisations using third parties to send direct marketing on their behalf," ICO added.
Organisations must contact the ICO or NCSC for data protection advise
This should serve as a lesson for organisations that are seeking advise from unofficial and third-party data consultancy firms and activists rather than from official forums such as the ICO, Cyber Aware or the National Cyber Security Centre.
Earlier this month, the National Cyber Security Centre launched a redesigned website to make cyber security as simple to understand for lay businesses as possible, ensuring that businesses don't get confused by the prevailing cyber security jargon and can access relevant information quickly using the new sections on the website.
The redesigned NCSC website features various sections catering to the specific needs of businesses of all sizes, features multi-page articles for complex topics and an alert banner on the homepage with important advice and guidance during live cyber security incidents.