The Information Commissioner is producing a Direct Marketing Code of Practice, as required by the Data Protection Act 2018 which will provide practical guidance in relation to carrying out Direct Marketing in accordance with the requirements of Data Protection Law and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft release is attached.
The Direct Marketing Code of Practice will significantly impact all organisations that use Direct Marketing and includes clarification on what is considered to be Direct Marketing, the limits of Legitimate Business Interest, Consent and how to ensure a Data Protection by design approach to marketing activity. It is unlikely that many organisations will currently fully comply with this code.
We recommend that all organisations that utilise Direct Marketing, particularly in the form of electronic communications, review their processes in detail to establish if they comply with the proposed new code of practice. You will be impacted if you fall under the following definitions:
A breach involving your organisation’s personal data can have a significant effect on data subjects, your staff and your organisation (both financially through fines from the ICO and reputationally). The latest research from IBM suggests that an average cost to a UK business of a data breach is £2.9 million when taking into account immediate actions to deal with the breach and longer-term effects of a data breach, such as loss of business.
As the ICO closes its consultation on its new Accountability Framework this week, it’s never been a better time to consider how you can demonstrate data protection accountability in your organisation. The EU General Data Protection Regulation makes it quite clear that it’s not enough just to adhere to the key principles for processing personal data, but that you also need to be able to show how you are meeting these principles.
But what does that mean in practice? Well, the ICO provides a list of areas where it feels organisations should be demonstrating accountability.
The ICO is currently actively contacting organisations they believe to be processing personal data that are not already registered on the ICO's register of fee payers. Every organisation or sole trader who processes personal information must pay a data protection fee to the ICO unless they are exempt. The potential consequence of not paying this fee or paying the wrong fee is a fine of up to £4,350.