Pension company fine highlights perils of bad advice and non-compliance

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Grove Pension Solutions Ltd has been fined £40,000 for sending just over 2 million unsolicited emails.

What’s interesting about this case is that a third-party was used to send the emails making use of hosted marketing campaigns. They even checked with a data protection expert and lawyer before instructing the marketing program to be carried out, but this was not enough, with the ICO commenting that this “proved to be inaccurate” advice:

“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.

Even seeking advice and checking compliance was not enough to save them from receiving the fine – the ICO even adds, rather cheekily, that they would have given them advice for free!

The detail of the case is in the penalty notice.

Essentially the case came to light after the FCA (Finance Conduct Authority) alerted the ICO to Grove’s activities – the ICO had only received a couple of separate complaints.

Grove had instructed a marketing agent to deal with their marketing activities. The agent in turn made use of email providers who collected consent for email marketing via a number of websites, but on inspection of these websites and the information provided to the ICO, the ICO concluded that those people opting-in via the websites would not have known to expect emails from Grove.

In a comprehensive response to the ICO, Grove set out how they received independent advice from a data protection consultancy and verified that advice with a data protection solicitor and both had concluded it was lawful for them to send the emails.

The ICO found Grove guilty of breach of Regulation 22 of PECR (Privacy and Electronic Communications Regulations 2003 – the law that sets out, amongst other things, the rules for direct marketing), meaning they did not have the appropriate consent from the data subjects for the purposes of sending the emails. The ICO also highlighted that  their direct marketing guidance says ”

So, what can be learnt from this case?

  • Even with evidence of due diligence, if that due diligence is wrong, it won’t stop you receiving a fine – this seems rather harsh, but we assume that Grove will now be suing for damages the data protection consultancy and the law firm given that they acted on their advice
  • You have to be careful when you’re relying on third-parties to do your email marketing for you – even if on the face of it, it looks as though they’re compliant, you need to be sure that the consent collected is compliant consent – the ICO highlights that their direct marketing guidance states “organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages
  • Consent has to be specific enough for the subscribers to understand precisely what they’re consenting to and who they will receive marketing messages from, “general third parties” is not sufficient, nor will terms like “similar organisations” or “selected third parties”. But counter to that, an exhaustive list of potential organisations is also not suitable. But what is clear is that Grove weren’t named as a potential sender of marketing emails and therefore consent was not valid.

Of course, where consent is concerned this will be even more relevant to GDPR compliant consent requirements (this case was actioned under old-Data Protection).

If you’re using third-parties to send your email marketing to subscribers the third-party has curated, you may need to so some checking and due diligence to ascertain the subscribers are expecting to hear from you.

 

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy