ICO: ‘Too many brands are still paying lip service to data protection rules’
Information Commissioner Christopher Graham has warned marketers that many companies are not doing enough to meet requirements of data and privacy laws.
Speaking at the Direct Marketing Association’s (DMA) Data Protection conference today (27 February), Graham said: “A lot of people pay lip service to data protection and privacy policies, just assuming we [consumers] will say yes.”
A “crowd-sourced” research project is required to get a view of how companies of all types and sizes across the UK are approaching data laws, he suggested, commenting that the regulatory environment has now changed for good.
Earlier this week, the Government changed the law to allow the Information Commissioner’s Office (ICO) to take action more easily against companies making nuisance calls and sending spam texts, while a long awaited new EU Data Protection Regulation is due to alter the way brands get consent from consumers to send them marketing.
Graham praised the UK’s removal of the “ridiculously high threshold” of proof needed for the ICO to fine rogue telemarketers, and added that recent European court decisions – including the so-called ‘right to be forgotten’ judgment against Google – demonstrate that clear new legal principles have already emerged.
“The consistent theme is the greater control of individuals over their data,” he said.
Despite the growing burden on businesses to demonstrate that they comply with data laws, Graham reassured those taking proactive steps to meet existing and future requirements, distinguishing them from “the cowboys and the people who don’t know or don’t care”. He argued that the forthcoming EU Regulation mainly represents “good practice recommendations being given statutory recognition” and that “if you’re following good practice you do not have too much to worry about”.
Nonetheless, uncertainty remains around the enforcement of both the UK’s new nuisance calling rules and any future EU regime. Graham expressed concern that levying fines on telemarketers is “not going to be that” easy, even though his office is increasing staff numbers to deal with the additional cases.
He also cautioned that “no-one can answer the question” of how to fund action taken against companies who break the EU’s new rules and that “if the new Regulation is over-ambitious and unrealistic, enforcement won’t happen”.
He urged European lawmakers to allow national regulators such as the ICO the discretion to prioritise cases where harm has been caused to consumers, rather than setting minimum fines for every single breach: “Let me keep the big stick in the cupboard for the people who need spanking.”
Meanwhile, The Guardian’s director of consumer revenues and chair of the DMA board Julia Porter said it has “galvanised its effort and forced the organisation to think about data and data protection”.
Prior to the review, she admitted at the event the news organisation operated in silos with no real alignment about what its goals and objectives were. This highlights the need to have an “enabler” within the data compliance team to help marketers do their jobs better, she added.
“Data protection has gone mainstream. I’m not a compliance person, I’m not a data protection expert, but I do need to know how to use data to do my job properly,” she says. “I consider data protection to be as big a responsibility for me as I do for our data protection team.”
As a result, she advises businesses to simplify and explain policies clearly so that practitioners, customers and readers are all on the same page.
“The first thing we learnt [from audience research] is that data means different things to different people which may seem obvious but… people interpret data in different ways. One of the things that has come out of this project is that we need to get better at creating one version of the truth.”