British airline firm Flybe has been fined £70,000 for breaking the Privacy and Electronic Communication Regulations (PECR). The company sent more than 3.3 million marketing emails to people who had opted out of receiving them.
Flybe said it had sent the emails in order to update its records in preparation for the EU’s General Data Protection Regulation (GDPR), which will come into effect on 25 May 2018. In the process of doing so, the company breached existing data protection laws.
The emails, sent in August 2016, advised people to amend out-of-date personal information and update their marketing preferences. However, the Information Commissioner’s Office (ICO) – the UK’s data protection regulator – said Flybe should have obtained people’s consent before sending the emails.
“Sending emails to determine whether people want to receive marketing, without the right consent, is still marketing, and it against the law,” said Steve Eckersley, head of enforcement at the ICO.
“In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them.”
The emails also offered customers the chance to be “entered into a prize draw” for contributing.
Flybe told the BBC it wanted to “sincerely apologise” to affected customers.
“We can confirm that appropriate mechanisms have already been actioned to ensure that such a situation does not happen again,” the company said.
Complying with the GDPR
When the GDPR comes into effect, organisations that process the personal data of EU residents will have to comply with much stricter data protection requirements, particularly when it comes to obtaining customers’ consent.
They will also be subject to much harsher penalties. The maximum fine that can currently be levied for breaches of the Data Protection Act is £500,000, but under the GDPR, severe data breaches could see organisations receiving fines of up to 4% of their annual global turnover or €20 million (approximately £17 million), whichever is greater.
Responding to the Flybe case, Eckersley said that companies should be preparing for the GDPR and looking at how they will obtain customer consent for marketing.
The company’s intentions, therefore, were praiseworthy, but they didn’t go about it in the right way.
“Businesses must understand they can’t break one law to get ready for another,” said Eckersley.
Prepare your organisation
This incident is just one example of how tricky regulatory compliance can be – and how costly it can be when you get it wrong.
If your organisation is currently preparing for the GDPR, or if you are looking to understand and demonstrate your knowledge of the GDPR, you should take a look at IT Governance’s EU GDPR Expertise Bundle.
With a number of GDPR resources in one package, the bundle includes a pocket guide to the Regulation, an implementation and compliance guide, and an introduction to the legal and practical data protection risks involved in using Cloud services.