The Department for Culture, Media and Sport has announced that it will amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR) in spring 2017 to introduce personal liability for directors for nuisance call fines.
This will form part of the Digital Economy Bill. Although the Bill is mainly intended to improve internet connectivity and provide improved protections for internet users, it also aims to protect individuals by introducing a new statutory Code of Practice for direct marketing, to ensure better enforcement of sanctions against nuisance callers and that consent is obtained from consumers.
The PECR already requires companies to display their caller ID and provide call blocking devices to vulnerable individuals, but so far this has not been enough. The upcoming amendments will allow the Information Commissioner's Office (ICO) to issue fines of up to £500,000 to each company director for nuisance calls. If a company has multiple directors then each could be liable for a fine.
According to the ICO, it has issued more than £2.7 million in penalties for nuisance calls since April 2015. However, £2.26 million of those penalties remain unpaid. Many limited liability companies try to avoid the fines by declaring bankruptcy but then subsequently resurface with a new name. On 23 October 2016, the Information Commissioner (IC), Elizabeth Denham welcomed the government's new plans, stating:
“Making directors responsible will stop them ducking away from fines by putting their company into liquidation. It will stop them leaving by the back door as the regulator comes through the front door”.
In preparation for the upcoming changes, as an employer you should conduct a thorough review of your company's marketing policies and procedures in order to minimise the risk of a personal fine for your directors.
Personal data collection procedures should be reviewed or put in place. A clear notice should be provided to individuals stating how the data will be used. Consent must be provided by individuals when using their data for marketing purposes.
You should put in place a contract when dealing with third parties who buy, sell, rent or share personal data. It should ensure that both parties understand how the data should be used, who it will be shared with, how complaints will be handled and who will be liable for complying with data protection provisions. It is vital that ongoing monitoring is put in place to ensure that both parties are complying with the provisions of the contract.
Finally, you must remember that if an individual requests that they are not contacted for marketing purposes, their details are placed on a separate and up-to-date internal “do not contact” list, as opposed to just deleting their details, which will serve as a reminder not to include their details in a further marketing campaigns.
The ICO has produced guidance for organisations that are involved with electronic and telephone marketing which can act as a useful starting point in order to ensure compliance. Such guidance can be found on the ICO’s website.