Compliance costs money, there is no getting away from that simple fact! The temptation to avoid spending resources on compliance is all too great, particularly when a business is young or going through a growth period. Attention is focused almost entirely on driving up sales and creating exciting profits.
I am a specialist solicitor defending companies subject to regulatory investigation and enforcement, particularly well-known for the work I do in representing companies in trouble with the Information Commissioner’s Office (ICO).
I see a lot of oversight when I’m representing such companies. The owners have created a great product or service and found their route to market, which nowadays is often through electronic channels, such as social media, or more traditional telemarketing.
The newly employed sales team is enthusiastic and hitting their targets, with healthy bonuses being paid. All is well. However, there is one area that is very often overlooked - compliance with the rules that surround this great new business.
Why do companies get investigated by the ICO?
Most of the companies I represent before the ICO have fallen foul of the direct marketing laws, PECR in particular (the Privacy and Electronic Communications (EC Directive) Regulations 2003). PECR dictates what you can and can’t do when it comes to direct marketing, so they really govern how you make those sales to your customers.
l usually encounter a ‘desire’ to be compliant, sitting on the directors’ ‘to-do' list.
However, it often remains on that to-do list whilst their attention focuses on sales and growth. An easy trap to fall into!
Whilst compliance may be a burden to many companies, it is a necessary evil and can’t be overlooked.
Why? Because the fines are hefty and often leave both the company and any directors vulnerable.
Am I doing direct marketing?
Most companies are doing some form of direct marketing, although they are often unaware of it. I have defended many companies where the directors have said at the first meeting: “There must be a mistake, we don’t do any direct marketing at all”. It is only when I look at what they have been doing that it becomes obvious that the opposite is true.
ICO enforcement usually starts with a formal letter of investigation, which requests a lot of information about how the possible breaches of the rules have occurred.
They ask for information such as:
Where did the data come from?
How many marketing messages were sent out?
How many calls were made?
Which processing condition were you relying on? Consent?
Most companies can answer the questions, but then the PECR question arises and they are usually stuck for an answer.
It is normally one of the last requests in the ICO’s letter and goes along the lines of:
“Please provide copies of any policies or procedures and training materials used to inform staff about PECR.”
When I’m going through the letter with the company directors and very often their rather embarrassed marketing and compliance leads, the answer is almost always that they have a data protection policy of sorts and do some training.
However, they have almost always overlooked the rules that so closely affect their sales processes - PECR. They have no policies on PECR and certainly have not done any staff training.
The ICO expects those doing direct marketing to familiarise themselves with the rules and make sure their staff are properly trained. It does not help the company’s response to the letter of investigation when they can’t supply any PECR material at all.
Does it really matter?
The simple answer is yes, it does! The ICO has significant powers when it comes to breaches of the rules, including fines for the company of up to £500,000 and similar for the directors themselves. They’ve issued more than £2.4 million in fines over the last year or so.
They can also restrict how a company operates by way of an Enforcement Notice, which may be to prohibit its marketing methods.
Perhaps the biggest harm caused by falling foul of the rules is damage to the company’s reputation. The ICO publish enforcement action on their website, so any company featured there will suffer significant damage to its good name. This very often leads to the end of the line for the company and the closure of the business.
You can of course appeal against an ICO decision, which may resolve the matter. I have seen some companies decide to ignore their penalty or plead poverty. The regulator is fair if the company genuinely can’t pay a fine and arrangements can be agreed to make a settlement.
However, if the ICO take the view that the company or its directors are just avoiding the fine, they will involve the Insolvency Service and look towards winding the company up and directors’ disqualifications, often for many years. Indeed, in the last few years over 36 directors have been disqualified in such circumstances.
Therefore, returning to the original question of whether you can afford to ignore the direct marketing laws, the simple answer is - no.