I first came across this case early in 2017 when I received an unexpected and unwanted message about a loan to my phone via an organisation calling themselves the ‘Data Supply Company Ltd’. Who were this mysterious organisation and what do they do?
It turns out that the organisation was a collector of personal information. It collected this information from various sources and then made money by selling it onto other organisations for direct marketing purposes.
However, many individuals complained about receiving these ‘SPAM’ messages to their phones – 174 people complained. It turns out that the Data Supply Company had sold around 580,000 such records.
Now comes the really interesting part – what made the company think it was ok to sell these records? Well, the claim was that it came from financial institutions where individuals had been declined services and that the loan messages were of benefit and interest to the individual receiving them. In reality there were several issues with this, the individuals had not given permission for the information to be used in this way, clear privacy notices had not been provided and there was no lawful basis for using the data in this way.
As a way of making money, the Data Supply Company had found that its strategy had fallen foul of data protection regulations! A large fine and eventual liquidation of the business was to follow.
So what, have I learned from this case?
A number of key points have become clear to me:
- Always make sure lawful processing of data is taking place
- When buying a list of leads for marketing, always ensure that list has been obtained lawfully
- Ensure the individuals on the list have consented to their information being used for your intended purpose
- Make sure ePrivacy guidance on specific consent is followed
- If selling a list make sure a detailed record of where and when consent was obtained is available
Of course, you could always do what Sherbot does and check with the Gydeline software to ensure you remain compliant!