Company Fined £80,000 for Data Protection Breaches
13 November 2017
The Information Commissioner has issued Verso Group (UK) Ltd with a monetary penalty of £80,000, under S 55A of the Data Protection Act 1998. Verso obtained and sold large volumes of personal data for direct marketing purposes. The ICO said that the company had failed to comply with the Data Protection Act.
The ICO found that:
- Verso obtained personal data without providing the individuals concerned with sufficiently clear information about the companies to whom Verso intended to disclose their personal data.
- Verso’s telephone scripts, and its website, did not provide sufficiently clear information about how personal data would be processed.
- Where Verso obtained personal data from other sources, Verso failed to ensure that the data subjects had been provided with sufficiently clear information about the companies (including Verso) to whom their personal data would be disclosed.
- Verso failed to carry out proper due diligence, and to make proper contractual arrangements with suppliers of personal data. The terms and conditions, and privacy notices used by those suppliers were inadequate, and Verso did not take sufficient steps to confirm that individuals had been provided with sufficiently specific information about how their data would be used.
Ensuring individuals are aware of exactly how their personal data will be used, and obtaining proper consent, will become even more important under the General Data Protection Regulation (GDPR), which will apply from 25th May 2018. The Regulations set a high standard for consent, and the monetary penalties which can be issued for non-compliance will increase significantly.
All businesses and organisations should take the opportunity to review their existing privacy notices to ensure that they will comply with the GDPR. In particular you should ensure that individuals are given clear, and specific information about how their data may be used, and who it may be shared with. You should also ensure that when you obtain personal data from other companies, you satisfy yourself that the information has been obtained with the consent of the individuals concerned, and that you have contractual arrangements in place dealing with data protection compliance.
If you have any queries, please do not hesitate to contact a member of our Information Law team.