ICO fines up 100% in 2021

Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs. What do Boris Johnson, Len McCluskey, Philip Schofield and Mike Ashley all have in common? The thing that links this peculiar group is that their organisations, parties, or companies have all been fined by the Information Commissioner’s Office (ICO) over the past few months for illegal marketing activities. Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs.
Boris, Len, Philip and Mike are unlikely to form any one person’s ‘top 4 favourite people’ list, but each has their fans and supporters who might be surprised to see them involved in breaking the law in terms of how they market to consumers. Contact centres are squarely in the ICO’s line of fire and you should focus on making very sure that your brand or operation doesn’t find itself in the same position as Boris, Len, Philip and Mike.

We’ve been carrying out some analysis to help you do just that. Helpfully, in 2021 (to date) the ICO has imposed twice as many fines than it did in the whole of last year; part of a steady increase in the ICO’s enforcement action.

(Incidentally, hardly any of these fines are imposed under the 2018 Data Protection Act – which is how the government turned the GDPR into UK Law – but are infringements of the far older and less well-known PECR rules. However, that’s another story)

We live in a multi-channel world, but when it comes to rule-breaking the phone is still the leading communication channel. Very few contact centres have phone calls as at least part of their channel mix, but those which make outbound calls need to be especially conscious of the rules.

The rules include those governed by Ofcom which contain, but aren’t limited to, the use of predictive diallers. An area that we will be covering in a future article.

However, most enforcement is carried out by the ICO and invariably when companies are fined for their live calling its because they haven’t screened outbound calling lists against the Telephone Preference Service (TPS) register.

“Well, that’s obvious.” You might say “People have been doing for that for over 20 years. Only crooks and scammers wouldn’t TPS screen!”. That’s partly true, but it’s not just the scammers who have been fined.

Sometimes, firms think they have a prior relationship or permission that means they don’t need to screen against the TPS. In some cases, having an existing relationship does trump the need to TPS screen, but not always and the criteria aren’t always black and white.

Need some help navigating the ‘TPS or not?’ question? Give us a call

In other cases, firms have been reassured that the external calling data they have been provided has already been TPS screened by the data provider, when in fact it hasn’t. The ICO has repeatedly made clear that it expects brands and data purchasers to undertake the checks and due diligence needed to ensure that data is compliant and legal. “Don’t expect; inspect!”

Contact Centre Panel can help with this unenviable challenge, too. See Lesson 2, below

The incorrect or inappropriate use of third-party data – which is typically bought or rented to allow firms to access new potential customers – is a very common feature of the ICO’s enforcement cases, specifically mentioned in nearly half of them.

The whole area of the law and regulations around the identification and management of consumers’ personal data is complex and potentially fraught – especially when the data is provided by a third party.

As previously mentioned, as far as the ICO is concerned the compliance onus is on the data purchaser. Users of third-party data must undertake thorough due diligence of data providers to ensure they have a sound legal basis to use the data for marketing purposes, as well as having robust, enforceable contracts in place. This cannot be a ‘one and done’ or tick box exercise and should start with a thorough audit of the legal and compliance standing of the data provider.

Fortunately, Contact Centre Panel can help. We have undertaken a lengthy and detailed rolling audit of the legal and compliance status of over 50 data providers. As a result, Contact Centre Panel has identified a small group of providers – which offer data for use in a variety of channels – who we feel are well-placed to potentially offer legal and compliant assistance to contact centres and brands.

About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.

Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.

Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.

That probably sounds very straightforward and you may we be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:

• You could have several different offices or locations. Would it be wrong to cycle a variety of those numbers when calling to maximise answer rates?
• Or you might use the local office number when calling people who you know live nearest to that area. Is that ok?
• You know your customers or prospects are less likely to answer a call from a geographic, landline number. Can you use a mobile number CLI instead?
• What if for reporting or inbound call handling reasons it makes sense for you to use a different CLI for each campaign you run. How many different CLIs are too many?
• Or what if you’re running a collections campaign and know that your most hard-to-reach debtors will recognise and not answer your CLIs. Surely, it’s ok to vary the CLIs then? Isn’t it?

Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.