Legal Update: Data Protection – ICO’s Recent Enforcement Action

Over recent months the Information Commissioner’s Office (ICO) has issued a number of enforcement notices and fines to those companies that have acted in breach of Data Protection law.

Our commercial solicitor, Dan Dowen, gives an overview of recent actions taken by the ICO to combat such illegal behaviour.

June 2018

At the end of June, the ICO took enforcement action against two firms for making nuisance calls – Our Vault Limited and Horizon Windows Limited.  

Enforcement Notices have been issued to both companies ordering the firms to stop their illegal marketing activities.

As well as the enforcement notice, Our Vault was also fined £70,000 for making over 55,000 marketing calls to people who had registered with the Telephone Preference Service (TPS) and had not consented to being contacted by the company.

In a separate ICO investigation, Horizon Windows received the Enforcement Notice for making 104 unsolicited marketing calls to people registered with the TPS.

The ICO also issued a £77,000 fine to British Telecommunications plc in response to almost 5 million spam emails which it sent to its customers between December 2015 and November 2016.

The investigation found that the company did not have their customers’ consent to send direct marketing emails. Although the information commissioner acknowledged that BT did not deliberately break the rules, it should have known the risks and it failed to take reasonable steps to prevent them.

July 2018

In July, Noble Design and Build of Telford received fines of £4,500 for braking data protection laws by failing to comply with an Information Notice. The company also failed to register with the ICO.

The company operates CCTV systems across Sheffield but had failed to comply with an Information Noticed under s47 of the Data Protection Act. The company were also fined for processing personal data without having notified the ICO when required to do so in accordance with s17 of the Data Protection Act 1998.

The ICO also issued a fine of £60,000 to a company that had sent spam texts to more than 270,000 people, without their consent.

A total of 274,423 unsolicited text messages promoting pay day loans were sent between November 2016 and January 2017 via SIM cards registered to STS Commercial Limited of Bridgend, which was against the law.

The Commissioner’s investigation revealed that STS relied on the consent of a third party but did not carry out sufficient due diligence checks to ensure that the data complied with the Privacy and Electronic Communications Regulations (PECR). 

August 2018

The ICO has issued a £100,000 fine against AMS Marketing Ltd, who made over 75,000 nuisance calls to people who had registered with the Telephone Preference Service (TPS).

It is against the law to make marketing calls to people unless they have given their consent to that particular company. The ICO investigation found that AMS has no evidence of consent from those it contacted.

A second marketing company, Lifecycle Marketing (mother and baby) Ltd has also received a £140,000 fine for illegally collecting and selling personal information belonging to more than one million people.

The data broking company sold the information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run up to the 2017 General Election.

The Labour Party was then able to send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children’s centres.

The ICO investigation found that Emma’s Diary’s privacy policy did not disclose that the personal information given would be used for political marketing or by political parties. This is a breach of the Data Protection Act 1998.

This case formed part of the ICO’s comprehensive investigation into data analytics for political purposes.

The above examples highlight the stance taken by the ICO in response to data protection breaches and illegal activities. We expect to see further enforcement action taken by the ICO over the coming months now that GDPR is in full effect in the UK.

If you are worried that your business is not yet GDPR compliant or would like further advice on any data protection issue, please contact Dan Dowen on 02920 345511 or