ICO Fines Pensions Company For Sending Two Million Spam Emails

The Information Commissioner’s Office (ICO) has fined Kent pensions firm Grove Pension Solutions Ltd £40,000 for sending 1,942,010 direct marketing emails in the one-year period to 31 October 2017.

The ICO is responsible for safeguarding the public’s information rights and data privacy and has the power to impose substantial fines for breach of the relevant legislation, including the Privacy and Electronic Communications Regulations, the Data Protection Act 2018 and the General Data Protection Regulations.

Grove Pension Solutions sent the emails after taking advice from a data protection consultancy as well as legal advice concerning hosted marketing. The advice was inaccurate however and the ICO found that the emails did not comply with regulations.

On the whole, marketing emails should not be sent unless the recipient has consented to receive them. This extends to the use of third parties to send marketing emails, as Grove Pension Solutions had done.

ICO Director of Investigations and Intelligence Andy White said: “Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want.

“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.

“The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.”

As from 9 January this year, the ICO also has the power to fine the bosses of companies making unwanted cold calls to the public. Previously, firms would go into liquidation to avoid large penalties. The new legislation means that company directors can now be pursued, with maximum fines of £500,000 each for the company and its director.

It has been over six months since the General Data Protection Regulation (GDPR) was brought into force on May 25th 2018. Since GDPR came into force, official regulators have been notified that over 59,000 GDPR data breaches have taken place across the EU.

Under the new regulations, any firm that is breached and the data they hold becomes vulnerable have 72 hours to notify a regulator after the time of discovery. Failing to do this could result in mammoth fines of up to £8.5 million or 2% of the company’s worldwide annual turnover.

As a legal firm, how do you make sure you comply with data protection legislation and mitigate data breaches? Do you think the ICO have enough power to stop spam emails and unwanted cold calling?