Buying in Personal Data? You Can’t Delegate Due Diligence to Your Suppliers

8th September 2020 by

Personal details are like gold dust to direct marketing organisations, but those who fail to take steps to ensure the lawfulness and integrity of their data supply chains risk being hit hard in the pocket. Exactly that happened to a company whose cold-calling campaigns generated scores of angry public complaints.…

Personal details are like gold dust to direct marketing organisations, but those who fail to take steps to ensure the lawfulness and integrity of their data supply chains risk being hit hard in the pocket. Exactly that happened to a company whose cold-calling campaigns generated scores of angry public complaints.

An investigation by the Information Commissioner’s Office (ICO) revealed that, over a period of 11 months, the company’s operatives had made over 270,000 unsolicited calls to individuals whose phone numbers were registered with the Telephone Preference Service (TPS). The effect of such registration was that the company should not have phoned them without obtaining their consent.

For use in its campaigns, the company purchased lists of personal data from third-party providers. It entirely relied upon them to perform due diligence checks and had no system of its own whereby it could check the data against the TPS register. It also did not maintain internal suppression lists so that, in some cases, individuals who objected to receiving calls were contacted again.

In ruling the company’s breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 serious, the ICO noted that 99 public complaints had been received from call recipients. Some of them had suffered rude, antagonistic and potentially intimidating behaviour from the company’s sales personnel.

By its own admission, the company took no steps to ensure that the data it purchased had been obtained fairly and lawfully. In failing to perform its own rigorous checks on the data’s legitimacy, it gave no consideration to the data protection and privacy rights of TPS subscribers. The ICO imposed an £80,000 monetary penalty on the company, which had now ceased making live marketing calls.

For more information regarding legal advice, or to speak with a qualified solicitor, please visit Healys LLP’s website.