The national supermarket chain Morrisons has been fined for breaking the law after mistreating people’s personal information when sending marketing emails.
The Information Commissioner’s Office (ICO) fined the supermarket £10,500 after Morrisons deliberately sent emails to 130,671 people who had opted out of receiving marketing related to their Morrisons More card.
Deputy Commissioner Simon Entwisle said, “It is vital that the public can trust companies to respect their wishes when it comes to how their personal information is used for marketing. […] These customers had explicitly told Morrisons they didn’t want marketing emails about their More card. Morrisons ignored their decision and for that we’ve taken action”.
Fines under the GDPR would have been much higher
The EU General Data Protection Regulation (GDPR) comes into force in May 2018. The Regulation preserves the existing rights of individuals to object to direct marketing, but the rules for obtaining valid consent have been changed.
The consent document should be laid out in simple terms. Where consent is the lawful basis for processing, the consent given must be clear and affirmative. Silence or inactivity do not constitute consent.
Organisations that fail to comply with the Regulation can expect fines of up to 4% of annual global turnover or €20 million, whichever is higher.
As Morrisons reported an annual turnover of £16.3 billion for 2016/17, it could have been fined up to £652 million under the GDPR.
Get prepared for the GDPR
With less than 11 months until organisations need to comply with the GDPR, it’s more important than ever to look at what you need to do to prepare.
The EU GDPR Expertise Bundle provides you with the essential resources you need to develop your understanding of your organisation’s obligations under the GDPR.
The bundle will give you a comprehensive understanding of the Regulation, including compliance obligations and best practice, and provide you with guidance on starting your implementation project.