The data protection watchdog, the Information Commissioner’s Office (ICO), issued its Annual Report in late June 2016.

In the foreword to the report, outgoing Commissioner Christopher Graham remarked that his organisation had imposed fines on companies who made illegal marketing calls that totalled more than £2 million during the 12 months covered by the report.

He also made reference to the new EU Data Protection Regulation that comes into effect in May 2018. Firms in all business sectors must continue with their preparations for this change, as although it is a piece of EU legislation, and the UK has voted to leave the Union, the UK will certainly still be a member come the implementation date.

Firms in all business sectors are urged to take the following steps now, in preparation for the Regulation’s introduction:

• Put in place incident management plans regarding how the firm will handle a significant data breach. (The Regulation will introduce a mandatory requirement for firms to notify their national data protection regulator and the affected data subjects within 24 hours of a significant breach)
• Ensure the firm has documented data protection procedures and privacy policies. The Regulation demands that these procedures are written in plain language. These procedures should be provided to customers on request.
• Ensure that all data subjects give explicit consent for their data to be processed
• Train staff as to their data protection responsibilities
• Have a system whereby the impact on individuals’ privacy is considered when new products/services are introduced, or when new ways of handling personal data are adopted. This is known as a Privacy Impact Assessment.
• Ensure robust contracts are in place with any third party that processes data on the firm’s behalf
• In addition to appointing a DPO, put in place a data protection ‘governance committee’ or similar to assess the firm’s efforts to comply with data protection law
• Where a firm operates in more than one EU member state, ensure that it is aware of which national regulator it will be primarily responsible to

Now we look at some of the items in the Report that relate to financial services firms, or those in the claims management sector.

The Report’s timeline of events for the last 12 months includes:

• April 2015 – the law was changed so that companies can now be fined if their marketing communications cause inconvenience to recipients. Previously the ICO had to demonstrate that the company’s actions caused distress or anxiety to recipients before it could take enforcement action
• June 2015 – orders were imposed on Money Help Marketing Ltd, Preferred Pensions LLP and Advanced VOIP Ltd requiring them to start complying with legislation relating to marketing communications
• June 2015 – a Lloyds Bank employee was cautioned for a breach of section 55 of the Data Protection Act, which relates to unlawfully obtaining personal data
• August 2015 – Consumer Claims Solutions Ltd was prosecuted for failing to register with the ICO
• August 2015- Payday lender The Money Shop was fined £180,000 after losing the personal details of several thousand customers
• November 2015 – the ICO undertook a ‘week of action’ concerning the claims management sector. It worked with the Claims Management Regulator at the Ministry of Justice in attending audits of several claims management companies. The ICO also wrote to more than 1,000 lead generation companies asking them to demonstrate that their practices complied with the law

The Report reminded firms of the data protection toolkit the ICO launched for small and medium sized firms in January 2016. This asks a series of questions about a firm’s data protection arrangements, and firms can access the toolkit via https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment-toolkit/

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.