A lost memory stick data breach is the sort of thing that could easily happen to any business where use of such devices is not properly locked down.
There was a lot of data on the stick here and, even though only a small part of it was personal data, the fine was substantial.
The main aggravating factor appeared to be that HAL had only trained 2% of its staff in data protection.
It should also be noted that the breach pre-dated the new GDPR regime and similar laxity in the future from an employer would likely result in even stiffer penalties.
So (a) train your staff on the importance of data protection and (b) get those memory sticks locked out of your systems or at the very least encrypted!
Given that BFL was responsible for its affiliates bombarding their subscribers with over 4 million emails about pre-paid funeral plans, they were always likely to end up on the ICO’s radar.
Many businesses don’t understand that the Privacy and Electronic Communications Regulations (PECR) impose separate, parallel and, in many ways, stricter obligations on them than either the old DPA or the GDPR when it comes to electronic marketing to individuals.
The company doing the marketing needs to either have specific positive consent from the individual (which can in theory be given to a third party) or rely upon a soft opt-in which is only applicable if that company (meaning the exact same company not a business predecessor or a company in the same group for example) has previously supplied similar goods or services to the individual.
Even contacting people to ask them if they are willing to be marketed to is, in itself, marketing, and so will breach PECR unless a prior consent or soft opt-in is in place.
Nor is there any ‘legitimate business purpose’ argument for use as there might be under the GDPR.
The only slight relaxation is that emails to corporate email addresses are not covered by the PECR (even if they contain employee names and so are personal data and covered by the GDPR).
The points to be taken away here are (a) be very careful in spamming out marketing messages to everyone on your group CRM database and (b) scrutinise anyone who claims to be selling lists of email addresses you can market to, to make sure they genuinely have the required (very high) level of consent from the relevant individuals to receive third party marketing from you.
About the author
Name: Andy McNish
Job title: Partner
Company name: Davis Blank Furniss
Company website: www.dbf-law.co.uk
Phone number: 0161 832 3304
New business enquiry email: firstname.lastname@example.org
Andy has helped hundreds of small and medium sized businesses with all sorts of corporate and commercial requirements for the past thirty years (the last twenty as Partner in our Business Department here at Davis Blank Furniss). In common with many rational people, the GDPR is one of his least favourite pieces of legislation.
November 8th, 2018