The ICO has fined data brokering company Verso Group (UK) Ltd £80,000 for a serious and deliberate contravention of the Data Protection Act 1998 (DPA).
An ICO investigation found that the company had supplied personal data to two other companies who then used the data for telemarketing purposes (including nuisance calls). Verso failed to ensure it had appropriate consents from the data subjects to forward their personal data on in this way.
In determining the amount of the fine, the ICO considered:
- The contravention involved large volumes of personal data and data subjects;
- Verso’s contraventions were systemic, deliberate and not isolated or one-off;
- These contraventions occurred over a period of years; and
- Verso’s conduct during the investigation was found to be “unhelpful and obstructive.”
Organisations should keep in mind that the GDPR is replacing the DPA in May 2018, and under the new law consent will be even harder to obtain as a basis to process data.
The GDPR places an even greater focus on organisations being transparent on information being provided to individuals before their data is processed. The ICO’s findings and sanction also emphasise the importance of assisting the ICO in any investigations they carry out.