The ICO have fined Royal Mail £20,000 for their recent email marketing gaffe, which led to over 213,000 customers who had not consented to marketing communications – receiving promotional emails for their commemorative ‘War of the Roses’ collectable stamp set.
Unusually this case did not begin with a series of complaints to the ICO from the public. Instead it began when Royal Mail used the ICO’s PECR breach reporting system to notify the ICO of a potential breach of the rules.
The ICO subsequently investigated. To summarise their findings:
- Royal Mail’s marketing campaign was aimed at 245,850 people.
- It was targeted towards people who had previously bought stamps online or who’d expressed an interest in receiving marketing.
- The list was cross-referenced against their internal marketing permissions master database, to leave a group of 30,648 people who would be eligible to receive the communications.
- The remaining 215,202 people who had opted out were added to a separate section in their marketing automation tool (Eloqua) and were intended to skip to the end of the process when it was set live.
- The campaign was sent, but days later the team became aware of a mistake.
- They received 6 emails from customers complaining about the unsolicited marketing communications.
- Royal Mail were found by the ICO to have breached PECR because they sent email marketing messages to people who had not consented to marketing.
- The ICO in light of mitigating factors, decided to fine them £20,000 for this breach. In the opinion of Measured Collective analysts this figure is small, especially when we compare it to other PECR cases involving similar amounts of data subjects earlier this year.
What practical advice can we take from this case?
Royal Mail appears to have had the best intentions. The processes they had in place had been working since “May 2018” for “circa 25 campaigns a month” according to details in the ICO’s enforcement notice.
This case tells us that it is important to continually review the potential impact of human error or technical error on your direct marketing campaigns. Particularly when choosing new tools or designing new processes. You must consider what technical safeguards you could add to reduce the risk of a PECR or GDPR breach. For example you may decide to add a mandatory approval process before the campaign can be sent? Or a delay which pauses sending of a campaign for 60 minutes once it is set live – allowing for any errors spotted within this time to be rectified of the campaign to be halted.
Royal Mail’s solution appears to involve setting up further checks when setting marketing automations live. It also involves making repeated checks on the permissions of contacts throughout the campaign, presumably different from the initial check they would make when launching campaigns which is identified in the ICO’s report.
When deciding on the enforcement action taken, the data protection commissioner stated that the: plans to undertake a full data protection audit of marketing activities; isolated nature of the event – human error; and the cooperation of the Royal Mail in particular with their decision to notify the ICO of the breach despite their being no legal requirement to do so were mitigating factors.