New consultation on direct marketing code of practice

The UK’s data watchdog, the Information Commissioner's Office (ICO) has launched a public consultation on a draft direct marketing code of practice.

Direct marketing plays an extremely important role in how most businesses grow their customer base and showcase their products and services. It’s crucial to be aware of the rules around direct marketing to ensure compliance with the relevant legislation: the General Data Protection Regulation, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003.

The ICO has recently launched a consultation (closing date is 4 March 2020) on a new direct marketing code of practice. You can read the code and take part in the consultation through the ICO website.

Other ICO news

The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

What went wrong for DSG?

An attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

This failure by the company to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

This incident occurred before the introduction of the Data Protection Act 2018 and the fine may well have been much higher if this happened after May 2018. The ICO investigation found that DSG had poor security arrangements and failed to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

The ICO fined DSG the maximum amount allowed under the Data Protection Act 1998 as it considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud.