The politics of personal data and its misuse under GDPR

07 Nov 2018

Leave.EU, Arron Banks and Eldon Insurance (a company founded by Mr Banks) face Information Commissioner fines of £135,000 Data Law breaches. 

The report of the Information Commissioner’s Office (ICO) are part of the ongoing Information Commissioner probe into use and misuse of data by political campaigns and many will recall the writer’s recent posts on the Cambridge Analytica scandal.

The ICO alleges that over 1 million emails sent to subscribers of Leave.EU contained marketing for Eldon’s ‘GoSkippy’ services. The Emails were initially sent in August 2016 just after the Brexit referendum and continued to be sent for another 12 months thereafter. What you cannot do, as an organisation which controls or handles personal data given to you for one purpose, is to use it for another, unless there is a lawful reason for you to do so. The most common lawful reason is the consent of the person to whom the personal data belongs.

It is important to note, and proper to do so, that Mr Bank continues to deny the allegations. Mr Banks commented that the ICO had found that: 

"We may have accidentally sent a newsletter to customers" but "no evidence of a grand data conspiracy".

He continued:  

"Gosh we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?”

However Mr Banks unfortauntely misses the point. Data does not belong to the organisation that controls the personal data, the data belongs to the person concerned.

The report throws light on and describes the ‘close relationship’ between Eldon Insurance and Leave.EU. As matters stand, Eldon and Leave.EU face fines of £60,000 for sending these emails. In addition to the £60,000 fine, Leave.EU faces a £15,000 penalty for sending Eldon customers newsletters from Leave.EU.

The report says Eldon admitted to the ICO to one incident where a Newsletter from Leave.EU was emailed to Eldon customers, but said that this was due to an error in an email distribution management system. Eldon stated:

"We established that this incident occurred on 16 September 2015, when Leave.EU marketing staff sent an email newsletter, intended for Leave.EU subscribers, to more than 319,000 email addresses on Eldon's customer database."

And continued: 

"We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU."

The ICO continues to investigate and has yet to reach a conclusion on other allegations relating to the company's overall handling of personal data.

This is a reminder that the duties on Data Controllers under GDPR (the General Data Protection Regulations) can be strict, and organisations must be careful that they have in place systems designed to prevent accidental loss of information. Furthermore, Data Controllers need to be very cautious. Just because you have someone’s permission to use their data for selling them goods and services, does not eman you can then use that information for purposes for which permission has not been given. 

With the fines now available under GDPR, which came into force on 25th May this year, Data Controllers need to put personal data at the heart of their Information Technology and Security Protocols. If caution is thrown to the wind, it could result in a potentially substatial fine as we have seen in the instance above, with there now being two tiers of fines that can be levied as penalties for non-compliance: 

The lower tier: up to €10 million, or 2% annual global turnover – whichever is higher. 
The higher tier is up to €20 million, or 4% annual global turnover – whichever is higher.

Further reading

Remote working and home security

Blog, News & PR
20/01/2021
With a large proportion of the workforce now working from home, security arrangements for home workers need to be addressed - Robert Ganpatsingh explains
Read more Read

Tenants take note: dilapidations damages to be subject to VAT

Blog, Legal Updates
19/01/2021
Property expert Cheraine Williams explains why dilapidations could be about to get more expensive
Read more Read

Covid business interruption insurance payments due to small and medium companies

Blog, Legal Updates
19/01/2021
Partner Jonathan Compton looks at the Supreme Court’s decision on business interruption insurance
Read more Read

DMH Stallard’s corporate team shortlisted for four awards

Blog, News & PR
18/01/2021
Current Corporate Law Firm of the Year hoping to hold on to the title in 2021
Read more Read
  • Brighton Office

    1 Jubilee Street

    Brighton

    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street

    Crawley

    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road

    Guildford

    Surrey

    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax

    Horsham

    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane

    London

    EC4A 3BF

  • Get in touch