It’s that time of year, and ICO has once again published its annual review. What data privacy insights does the review offer the interested marketer? Well, it reveals that people are becoming ever-more aware of their data protection rights, that marketers seem to be getting more privacy-savvy and that ICO has a grudge against the police, apparently. Phil Lee reports.
Who: Information Commissioner's Office
Law stated as at: 14 August 2008
The Information Commissioner published its 2007/2008 annual report on 15 July 2008, providing an interesting insight into the "behind the scenes" operations of ICO. The report is available online here.
The report identifies that, over the past year, ICO received some 24,851 data protection related complaints, up from 23,988 the year before. Of these, a mere nine (or, put another way, just 0.03%) resulted in the serving of enforcement notices against the data controllers concerned, whilst a further nine resulted in ICO obtaining formal undertakings from non-compliant data controllers bar three. All enforcement notices were served against regional police forces.
The annual report also highlights some statistics that will be of interest to marketers:
- Increasing awareness: Individuals are becoming increasingly aware of their data protection rights. In 2004, 74% of individuals were aware of their data protection rights to access personal information held about them. By 2007, this figure had risen to 90%. In the wake of the various high profile data protection breaches this year, it seems safe to assume that this figure will rise even higher.
- Common complaints: The most frequently-cited reasons for data subject complaints to ICO include "phone calls – live" (5%), "e-mail" (4%), "phone calls – automated" (3%), "fax" (2%) and "SMS" (2%) – in aggregate, 16% of the complaints received by ICO. Whilst the exact nature of these complaints is not expressly identified, it seems safe to assume that they concern unauthorised marketing communications over these channels. A further 2% concerned the "right to prevent processing" and a whopping 47% concerned "subject access", although it is not clear the extent to which these complaints concern marketing-related processing.
- Offending businesses: Of the businesses most frequently complained about, direct marketers accounted for only 4% of complaints received by ICO. Leading the pack were "Lenders" at 33% (although many of these complaints appear to have concerned subject access requests made by credit card holders following the OFT's announcement that bank charges over £12 in standard credit card contracts were likely to be unfair). Internet businesses also accounted for a further 3%.
- Fall in cold calling complaints: ICO notes that, since taking a more robust line in enforcing breaches of the Privacy and Electronic Communications Regulations (EC Directive) 2003, the numbers of complaints made to the Telephone Preference Service and ICO has dropped substantially. In January 2007, ICO notes that the "worst offender" generated over 420 Telephone Preference Service complaints in just one month; by contrast, in January 2008, that figure had dropped to just 25 complaints.
Why this matters:
ICO's annual report is interesting for a number of reasons. First, it highlights the fact that individuals are becoming increasingly aware of their data protection rights. Failure to abide by data protection laws will therefore carry ever greater reputational risk for marketers. The report also reveals that, currently, this is where the real risk lies and that, by comparison, enforcement risk is relatively low, just 0.03% of all complaints actually received (although, with the recent additional enforcement powers awarded to ICO, this may change going forward). Finally, notwithstanding this, the report suggests that marketers are becoming more data protection compliant, as indicated by the drop in complaints to the Telephone Preference Service – this, in turn, suggests that a non-compliant marketer will stick out like a sore thumb when compared to its more-compliant competitors, further increasing the reputational risk of non-compliance.
In summary, ICO's report reveals that data protection compliance is becoming ever more important. Not in the interests of avoiding enforcement because, frankly, the odds of that are pretty low. Rather because individuals are waking up to their rights and demanding ever greater respect for their privacy. The marketer that forgets this does so at its own peril!