Just had an interesting phone call with a company about their spam emails. This company has emailed me about one of their "special offers", needless to say I never signed up to receive said offers. When I rang to ask to be removed from the mailing list, the person answering the phone said they had received lots of complaints about the emails. Apparently I have been lucky because I only have two emails, some of the people they have been emailing have been receiving 2 an hour for days! According to the company, they outsourced their email marketing to a company in China and they haven't been following the instructions they were given. A number of people who have been getting the emails have been complaining to the ICO.
So where has this company gone wrong (this is my speculation based on the phone call).
1. Breach 1 - I never gave them permission to email market to me. Never
heard of them before the email came through so definitely didn't sign
up. You need to have a persons permission to be able to electronically market to them. You should also record where the sign up information was gathered. Lots of people don't remember signing up and the ICO, if they investigate, will look for confirmation you have permission.
2. Breach 2 - The emails did not have an unsubscribe option on the bottom, so gave me no choice but to call to cancel it. Given the person didn't take my email address, I expect more emails from them in the future. There is certain criteria that has to be met when email marketing, one of which is that there is the ability to unsubscribe from future contact. It is an offence to fail to remove someone from your mailing list when they ask.
3. Potential Breach 3 - IF I had given them permission for email marketing, did they also ask my permission to send my details outside of the EEA (to their marketing company in China), probably not. If you are sharing personal information outside the EEA, you have to tell the provider of the information at the time of collection.
4. Potential Breach 4 - Sending the information to China, which is not an approved country, the company needed a specific clause in place to protect individuals information. As China is not an approved country for data transfers, they company needed a specific clause and contract in place. Seems unlikely in this case that they complied. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/
Needless to say this company is already getting attention from the ICO regarding the level of complaints. If you need help to avoid a similar situation, contact me to discuss how we can help. ask@audit-and-risk.co.uk
No comments:
Post a Comment