This time last year, almost all email marketing commentators and bloggers would have suggested that the then soon to arrive General Data Protection Regulations would be the big thing for 2018. I’m not only saying this to show how prescient I was. Everyone said it.
We were proved right of course. What few suggested was that it would be all but transparent as it was hyped as the biggest thing since the last big thing. Once it became law it was apparent that it was more evolutionary than revolutionary and most of us went on as before, although with significant, if minor, modifications to procedures, especially in the way we handle our email marketing lists.
The ICO recently published details of its first enforcement order, a process that is more or less a warning that things could get nasty, under the GDPR. It has been law since May, so the gap of six months is quite short. The ICO must have identified the breaches of the regulations almost from the off.
AggregateIQ Services, based in Canada, so a bit outside the EU, was found to have sent online political messages to UK citizens during the Brexit campaign. The order requires the company to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes’.
A bit late now you might think. However, all procedures on breaches of regulations must, of necessity, be reactive. You might also think that it has little relevance to email marketing, but you’d be wrong. It puts down a marker for those companies considering following AggregateIQ’s example.
Firstly, and most importantly for us if Brexit does proceed, it shows clearly that companies outside the EU can be prosecuted if they monitor the behaviour of EU citizens in breach of the GDPR’s provisions. We have been warned.
It also demonstrates that nothing is out of bounds. It is a political issue but the ICO seems happy to take it on. It is clear that the way you process your email marketing lists, or anyone else’s come to that, for whatever purpose will have to comply with the GDPR.
What is not so clear is why the company wasn’t penalised, other than by an enforcement notice. Either there was evidence of wrongdoing or, if not, why the enforcement notice. Prosecution without penalty would seem an odd decision in the event. The ICO hasn’t shared the reasoning behind their decision in the matter unfortunately.
On the ICO website we are told, in the comments on this case, that they remain a pragmatic regulator. They say that ‘this should not be taken as an indication that the ICO will not start issuing fines for breaches of the relevant legislation’. You might think that a clearer sign of this would be to issue fines.
The ICO has, historically, aimed at stopping breaches being repeated. With the possible penalty being €20 million, or 4% of annual turnover if they fail to comply with the notice, it is a serious threat.