10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 9: Direct marketing – liability of directors for privacy breaches,
and awaiting a new code of practice

Directors of companies responsible for nuisance calls and other direct marketing privacy breaches may now be subject to monetary penalties, and several have already been banned from acting as directors.

Coming soon: A new ICO direct marketing Code of Practice with up to date practical guidance on applying the data protection and privacy rules.

Liability of directors for direct marketing breaches

Since 2012, the UK Information Commissioner’s Office (ICO) has imposed a significant number of monetary penalties on companies for unlawful direct marketing activities under Privacy and Electronic Communications (EC Directive) Regulations 2013 (PECR) (and related data protection breaches too). However, companies have been winding up as a common tactic to avoid paying the fines.

The ICO has therefore been looking for ways to combat this. Two key developments are as follows.

  • The ICO has worked with the Insolvency Service to disqualify the directors of the companies from serving as directors. In February 2019, the ICO reported that, up to that date, 16 directors had been banned from running a company for more than 100 years in total.
  • In December 2018, PECR was amended1 to allow the ICO to impose monetary penalties directly on company directors and other officers. This can be done where a monetary penalty has been served on the company, and the ICO is satisfied that the relevant breach took place with the consent or connivance of the director or officer, or was attributable to their neglect. The ICO has not yet reported any such penalties on directors.

ICO calls for views on Direct Marketing Code of Practice

In November 2018, the ICO called for views on a Direct Marketing Code of Practice, which it is required to publish in accordance with section 122 of the Data Protection Act 2018. The Code of Practice will practice guidance for carrying out direct marketing in compliance with the law, and other guidance to promote good practice in direct marketing. It is envisaged that the Code will build on the ICO’s current direct marketing guidance, and will be updated once the new ePrivacy laws are finalised (see article number 12 in my series).

The consultation closed in December 2018, but the ICO has not yet published the new Code. In the meantime, the ICO’s current guidance can be found within its Direct Marketing Guidance on its website. The latest version is dated March 2018, which included some updates for GDPR preparation, but did not at that stage address all relevant issues under the GDPR and Data Protection Act 2018.

Olivia Whitcroft, principal of OBEP, 29 July 2019

1 Under The Privacy and Electronic Communications (Amendment) Regulations 2018

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details