On 9 March 2017, the UK’s Information Commissioner's Office (ICO) announced it would issue one of its highest fines to Media Tactics, a UK-based provider of marketing data, for violating terms of using citizen’s personal information. The ICO is an independent authority established to uphold information rights in the public interest, and according to its press release, it fined Media Tactics 307.000EUR for not complying with the UK’s privacy regulations. This blog describes why Media Tactics was fined and how this case relates to the European Union’s new General Data Protection Regulation (GDPR).
Media Tactics was found to have made 22 million “nuisance” marketing calls using phone numbers purchased from third-party entities. These entities collected personal contact information through discount, prize-draw, loan or insurance broker websites that used privacy notices to obtain customers’ consent to share their information with third parties, if those third parties offered products / services akin to their interests. Media Tactics then used the third-party-provided phone numbers to make automated marketing calls. When recipients answered the calls, they heard a recorded message that covered a broad range of topics, from debt management to personal injury claims.
The ICO ruled the privacy notices used to obtain consent from customers were too generic and unspecific in describing which data would be shared for what purpose and to which organizations. Furthermore, it ruled obtaining consent via a simple checkbox was not sufficient. According to the ICO, the people targeted by Media Tactics were not given enough control over how their information would be used.
Incidents similar to the Media Tactics case happen often. It is common for companies to obtain consent to use personal information via broad terms and conditions that regularly place permission-related language in the fine print of page footers. Thus, it becomes difficult for consumers to know exactly what personal information is shared with which organizations and for what purpose.
For example, when you want to participate in a prize drawing you always need to agree with the terms and conditions of the competition. Hidden in these terms and conditions, you usually find language explaining how the contest organizers will manage your personal data and what they will do with it. However, this process is problematic because the terms and conditions are often too generic and not presented in a manner that is clear and easy to understand. The GDPR will address this head-on and set a high standard for obtaining explicit consent.
Under the new GDPR regulation, the process for obtaining consent will be explicit. The formal definition of consent under the GDPR regulation is as follows:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR will require organizations to facilitate a process that gives individuals a choice of not only providing consent, but also maintaining ongoing control of how their data is used. To increase accountability, organizations will also need to keep a transparent record of the consent they have obtained. Additionally, individuals will have the right to withdraw their consent and view the details of their stored information at any time.
All of this means every website that collects personal information will have to change its processes. The collection of consent will be much more explicit, individuals will be provided with an opportunity to view and download the personal information being stored and they will have the right to ask for data correction / erasure.
Companies will have a lot of work to do to prepare for GDPR implementation by May 2018; however, the regulation will also bring compliant companies an added opportunity to gain confidence and trust from their customers. Furthermore, compliant companies will gain a competitive advantage over non-compliant companies. Adhering to the new rules will not only boost organizations’ customer service quality by placing customers at the center of the relationship, but also generate positive results in terms of reputation and engagement levels.
AMPLEXOR’s combined expertise in Enterprise Content and Digital Experience can help your organization define and categorize its methods of processing and storing personal information to prepare for the GDPR. Our dedicated, secure software tools can also help you prevent and / or minimize the impacts of potential data breaches.