Bounty (UK) Limited, the pregnancy and parenting club, has been fined £400K by the UK’s Information Commissioner’s Office (ICO) for sharing personal data of some 14m people with a number of organisations including credit reference and marketing agencies without their consent.
This fine was imposed under the old Data Protection Act as that was the instrument in force at the time, but Bounty’s actions would equally have fallen foul of the current General Data Protection Regulation.
While Bounty operated as a data broker at the time of the offences, and there are a number of factors that affected the size of the fine (for example the large number of records and the fact that some children’s data was involved), there are some key takeaways for all businesses concerned with data privacy and compliance with GDPR.
Firstly, the ICO noted that while Bounty’s online privacy notice contained “a reasonably clear description of the organisations they might share information with”, it failed to mention the four largest recipients of the data they shared.
Does your privacy policy specifically state who you are sharing data with? If you are going to include a named list, better check that it is comprehensive.
Secondly, in addition to collecting personal details on their website and on a mobile app which included an opt in checkbox to consent to receiving promotions from “carefully selected third parties”, Bounty also collected personal data on hardcopy cards.
These cards did not include a marketing checkbox, but included a statement “By providing your email address and/or telephone number (optional) you consent to be contacted by these channels as well as post. We will take great care of the information you have provided and will use it to fulfil your membership of Bounty. While you are a member, we may share your information with a selected group of companies who also have services, free samples, offers and product information that may be of interest to you.”
As offline registrants had to provide their name and address details they were considered not to have a choice as to whether to opt in to marketing communications. It was also noted that offline registrants might not have had access to the privacy policy on the website and the details it contained about who Bounty were sharing personal data with.
If any businesses are collecting personal data offline and that data is to be used for marketing purposes, there needs to be an opt in checkbox on the form and businesses will have to consider how to make available to offline registrants any required information that would be available to online registrants.
A third point of interest to DPOs and CISOs will be the ICOs ruling that Bounty’s actions were considered deliberate because they ought to have been aware of the risk of a contravention and failed to take reasonable steps to prevent it.
“While it may not have set out to contravene the DPA, Bounty’s actions in sharing the data were plainly deliberate. In any event, the Commissioner considers that Bounty knew or ought reasonably to have known that there was a risk that the contravention would (a) occur, and (b) be of a kind likely to cause substantial damage or substantial distress. She further considers that Bounty failed to take reasonable steps to prevent such a contravention…”
As is always the case when it comes to the law, ignorance is no excuse!
What did Bounty say?
Bounty has of course apologised “We made a mistake for which we are sorry”, updated their privacy policy and the list of partners they still share data with.
They are no longer involved in the data brokerage business, having exited that sector in April 2018, just prior to the enforcement of the GDPR.
Their website now includes the “Bounty Promise”, where they detail their commitment to “complete transparency”.
Interestingly, one of their commitments is to have an “independent data expert” check their progress and they say they will publish their findings on the website.
Having some kind of independent audit of data processing practises is a good idea that might be copied by other organisations. This kind of oversight – if properly done – can help to ensure that you are using best practise in your data processing activities and that appropriate security measures are in place.
Summing Up
The Bounty case may give a few DPOs pause for thought, but the key takeaway should be that transparency and honesty is the best policy.
Be absolutely clear about how you process personal data and if you are relying on consent as your legal basis for processing, make sure it is genuinely informed and freely given.
There are of course costs associated with putting measures and procedures in place to comply with data privacy regulations. However, this is really just good business practise and can be used as a competitive advantage. With proper planning, staff training and using the right tools, GDPR compliance doesn’t have to be onerous.
What is becoming increasingly clear is that failure to comply can be very costly indeed.
In addition to the fine that Bounty has received, they will have spend a great deal of time and money rectifying their errors, amending processes, training staff, implementing enhanced security measures, performing risk assessments, rewriting data processing agreements and probably a considerable sum on PR to mitigate the reputational damage done.
If you have concerns about your obligations under GDPR or how your business can best protect your data and comply with the law, use the contact box to get in touch to find out what tools, training and help are available.
Need to speak to an expert about data privacy and protection?
Need help with your compliance strategy for GDPR and other data protection legislation?
Complete the enquiry form to arrange a no-obligation call to see if we can help.