☰ Menu

January’s Monthly Compliance Newsletter

Start 2020 as you mean to go on, by having a crash course in compliance & regulation news for people in #Sales, #Marketing & #Customerexperience.

This month’s headlines:

Finally, the ICO’s released it’s draft Direct Marketing Code of Practice for consultation – and it really does need a close read

Keen on using AI, but can’t explain how it works? The ICO says you need to be able to!

Data can be breached through cardboard storage boxes and shop tills, not just in the cloud 

“Told you so” chorus PCI solution vendors after the ICO quotes its own guidance

How identifying & verifying customers in your contact centre may be about to get even more tricky

The ASA returns to the vexed issue of (banned) gender stereotyping. Do you and your advertising agency understand the confusing rules?

Download it here:

and subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5

December’s Monthly Compliance Newsletter

All I want for Christmas is… a pithy summary of compliance news? Not top of your list maybe, but like sprouts it’ll do you good. Read on!

This month’s headlines:

  • Nationwide sanctioned by the CMA for not talking about PPI enough
  • Are SARs a pain in the **** for your business? The ICO wants to know
  • The PSA‘s new rules put the squeeze on premium rate scammers
  • How to turn a £80,000 ICO fine into a £90,000 fine in one easy move
  • Deliveroo and Wowcher are misleading (but not sexist) and KFC are just being rude, rules the ASA

Download it here:

and subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5

We’ve done a podcast!

Last week, The Hidden Edge‘s Laura McHarrie of The Hidden Edge and Nigel Davey of SME Needs invited me to join them on one of their Sound Business Advice podcasts. We chatted about customer engagement, behavioural insights, new technology, data and how to treat it…

November’s Monthly Compliance Newsletter

Daniel Defoe said death and taxes are certain – and so are regulation and compliance. But they’re not always clear or obvious. Let’s try and help…

This month’s headlines:

  The ‘tracksuit tycoon’ calls foulon Nike & Adidas

The ICO looks to seize dodgy marketers’ assets

  Two nuisance call directors banned for 6 years

  The Fundraising Preference Serviceisn’t preferred by many people, it seems

•  Deliveroo can’t deliver to space – official

  Is DRTV the retro-marketing salvation for marketers with GDPR-diminished databases?

  Tread carefully when setting up Google Ads warns the ASA

or subscribe for free and receive the Newsletter in your inbox every month http://eepurl.com/gqxzw5

October’s Monthly Compliance Newsletter

Here’s our October Compliance Newsletter, packed with the regulation and compliance news customer-focused professionals need to know (without the boring bits).

This month’s headlines:

  • Is the ICO crowd-sourcing cookie compliance?
  • CMA takes on Salesforce
  • Home improvements firm fined £150,000 for calling TPS numbers
  • Research shows marketers’ data privacy understanding getting worse
  • RNLIditches its consent-only fundraising stance
  • Burger King‘s milkshake tweet upsets the ASA

Download your copy here:

or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5

September’s Monthly Compliance Newsletter

Our September Compliance Newsletter, with all the regulation and compliance news customer-focused professionals need while the nights draw in…

This month’s headlines:

  • Subject Access Requests – rip up the process as they’ve got quicker and trickier
  • Cold calling culprit gets struck off for 5 years
  • Fake Mo lands vaping firm in hot water
  • 3 more years for the DMA and the TPS
  • £160,000 fine for boiler firm calling opted-out consumers

Download your copy here:

or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5

July & August’s Monthly Compliance Newsletter

Channel Doctors’ July & August Compliance Newsletter, with all the regulation and compliance news customer-focused professionals need this summer.

The Headlines:

  • The ICO says your website is probably non-compliant (all of a sudden)
  • Long-awaited ‘GDPR era’ fines put a potential £183m price on data breaches
  • EE fined £100k by the ICO for confusing marketing comms with service messages (and the ICO also reveals that it thinks repeating a message means you’re marketing)
  • Dyson’s TV ad rapped for a hidden plug
  • Home security firm fined £90k for assuming too much & checking too little when telemarketing

Download your copy here:

or subscribe for free and receive the Newsletter in your inbox (nearly) every month http://eepurl.com/gqxzw5

The Culpability Index (c)

Have you heard about the Culpability Index (c) ? Probably not, because I’ve just invented it after taking a more detailed look at the Information Commissioner’s Office (ICO)’s announcements last week of its intention to fine British Airways and Marriott £183m and £99m respectively for their data breaches.

In the space of two days, last week, the ICO brought the long wait for the UK’s first “GDFP Era” fines (if we disregard the action against SCL aka Cambridge Analytica) well and truly to an end. In fact if they had continued at that rate every working day for a year then the ICO could raise a much-needed £36.7bn for the Treasury.
Opinions vary as to whether the BA and Marriott level of fines (at least 200 times larger than any previous ‘pre-GDPR’ penalties, remember) were to be expected, or just an ‘opening shot’, likely to be reduced either in consultation with the other European data protection regulators, for which the ICO acted as lead regulator, or on appeal. But either way, 8 or 9-figure fines are way beyond the ‘slap on the wrist’ level big brands falling foul of the ICO have grown used to.
That said, the ICO’s decision making process seems typically unclear. BA’s data breach involved the personal data of far fewer EEA data subjects than did Marriott’s (500,000 vs 30 million), but the effective “cost per data subject” for BA was £366 – over 100 times greater than Marriott’s, even though from the information publicly available the sort of data involved was quite similar.

So, why was BA’s failure so much ‘worse’ than Marriott’s? Well , at this stage its hard to tell. The penalties are only proposed at this stage, so the ICO hasn’t provided any detailed explanations for their decisions. But even when penalties are confirmed it’s often not at all apparent why the ICO takes action enforcement action in specific cases and when they do, what it is that decides the level of penalty imposed.
When the ICO is planning to impose penalties running into the tens and hundreds of millions of pounds, however, they will need to. When data breaches occur arguably one of the key considerations is the breached organisation’s culpability. Perhaps the ICO’s view is that as Marriott’s breach was from the cyber insecure database inherited as part of its purchase of Starwood in 2016 then it’s mainly guilty of a lack of proper due diligence. In contrast, anecdotal evidence from within BA suggests that its data security failings were systemic, long-term and predictable – and therefore BA’s culpability was considerable.
Anyway, we’ll see what happens – and if anyone from the ICO’s reading, you can have the Culpability Index (c). For a small consideration.

Let’s talk.

(If you’re interested in this sort of thing, sign up to receive our Monthly Compliance Newsletter; dedicated to summarising regulation and compliance news and changes for people with more important things to worry about)

£366 per Person

£366 per person
That’s the equivalent price British Airways (parent group IAG) will have to pay if the ICO decides to uphold it’s interim announcement to fine BA £183.39m as a result of the airline’s 2018 data breach which exposed the personal details of 500,000 customers.
Impressively that’s even more than the £133m that yesterday’s negligible 1.5% drop in IAG’s share price shaved off its total market capitalisation (though the share price has been sliding recently, anyway, due to lower profits and the threat of strike by pilots).
So, the ICO has levied its first (non Cambridge Analytica-related) ‘GDPR era’ fine, using the 2018 Data Protection Act. What can we learn from it? Well, it’s no surprise that it’s for a data breach or that BA are a suitably ‘big name’. £366 per person whose personal data is breached would be a frighteningly high yardstick for most organisations which still hold lots of data on people they derive little commercial benefit from. But the fact that £183m is about 1½% of BA’s turnover might be more indicative and meaningful.
In any event, it may be time to have another cyber security audit!
And why not sign up for our Monthly Compliance Newsletter:


103 Seconds You’ll Never Get Back

I just called Nationwide‘s insurance number (0800 145 6060). My call was answered straight away and had my question about a quote knowledgably and helpfully resolved. The call lasted 5 minutes and 20 seconds. However, the first 1 minute and 43 seconds was taken up with up-front recorded messages.
That’s one third of the whole call, during which time I wasn’t having my query resolved, experiencing the good service I went on to receive and not able to interact at all – unless I pressed 1 to say that I didn’t want Nationwide to ask me how the call went afterwards.
In fairness to Nationwide (or more likely RSA which is their insurance partner), the messages about data protection, Nationwide’s commercial deal with the underwriter, credit checks, etc, weren’t awful examples of legalese – I’ve heard far worse – and no doubt there are good compliance reasons for having them all.
But then again, I only started half paying attention to the messages half-way through because a) it’s my line of work, b) I thought I could blog about it.
Really, there must be a better way!

1 2 3 4 11

We use essential cookies to provide necessary website functionality, we would also like to use additional cookies for additional functionality and third party cookies to track your visit, please accept or reject to inform us of your preference.