Leave.EU, Arron Banks and Eldon Insurance (a company founded by Mr Banks) face Information Commissioner fines of £135,000 Data Law breaches.
The report of the Information Commissioner’s Office (ICO) are part of the ongoing Information Commissioner probe into use and misuse of data by political campaigns and many will recall the writer’s recent posts on the Cambridge Analytica scandal.
The ICO alleges that over 1 million emails sent to subscribers of Leave.EU contained marketing for Eldon’s ‘GoSkippy’ services. The Emails were initially sent in August 2016 just after the Brexit referendum and continued to be sent for another 12 months thereafter. What you cannot do, as an organisation which controls or handles personal data given to you for one purpose, is to use it for another, unless there is a lawful reason for you to do so. The most common lawful reason is the consent of the person to whom the personal data belongs.
It is important to note, and proper to do so, that Mr Bank continues to deny the allegations. Mr Banks commented that the ICO had found that:
"We may have accidentally sent a newsletter to customers" but "no evidence of a grand data conspiracy".
"Gosh we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?”
However Mr Banks unfortauntely misses the point. Data does not belong to the organisation that controls the personal data, the data belongs to the person concerned.
The report throws light on and describes the ‘close relationship’ between Eldon Insurance and Leave.EU. As matters stand, Eldon and Leave.EU face fines of £60,000 for sending these emails. In addition to the £60,000 fine, Leave.EU faces a £15,000 penalty for sending Eldon customers newsletters from Leave.EU.
The report says Eldon admitted to the ICO to one incident where a Newsletter from Leave.EU was emailed to Eldon customers, but said that this was due to an error in an email distribution management system. Eldon stated:
"We established that this incident occurred on 16 September 2015, when Leave.EU marketing staff sent an email newsletter, intended for Leave.EU subscribers, to more than 319,000 email addresses on Eldon's customer database."
"We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU."
The ICO continues to investigate and has yet to reach a conclusion on other allegations relating to the company's overall handling of personal data.
This is a reminder that the duties on Data Controllers under GDPR (the General Data Protection Regulations) can be strict, and organisations must be careful that they have in place systems designed to prevent accidental loss of information. Furthermore, Data Controllers need to be very cautious. Just because you have someone’s permission to use their data for selling them goods and services, does not eman you can then use that information for purposes for which permission has not been given.
With the fines now available under GDPR, which came into force on 25th May this year, Data Controllers need to put personal data at the heart of their Information Technology and Security Protocols. If caution is thrown to the wind, it could result in a potentially substatial fine as we have seen in the instance above, with there now being two tiers of fines that can be levied as penalties for non-compliance:
The lower tier: up to €10 million, or 2% annual global turnover – whichever is higher.
The higher tier is up to €20 million, or 4% annual global turnover – whichever is higher.