Personal Data Security Practices Remain Substandard, Officials Warn

The recent introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are apparently having little to no bearing on the personal data security practices of many organisations in the UK. Particularly where insolvency is concerned, practitioners and FCA-authorised firms are still breaching even the most basic and important data protection guidelines.

This week, a joint statement was issued by the FCA, the FSCS, and the Information Commissioner’s Office (ICO) to reaffirm the importance of heightened responsibility when dealing with personal data. The statement outlined apparent widespread data security malpractice, with an emphasis on businesses attempting to unlawfully sell the personal data of their clients to claims management companies (CMCs).

Instances of unlawful personal data sales and distribution (both before and after a firm has gone into administration) are rife, claims the report from the regulators. The statement warns that by distributing personal data without the legal consent of those it concerns, they may be breaching the terms of both the General Data Protection Regulation and the Data Protection Act 2018.

All direct communications carried out by claims management companies could also be a direct violation of the Privacy and Electronic Communications Regulations 2003 (PECR).

The regulators promised to take action against those found to have breached any applicable data protection laws and policies, encouraging those who may be doing so to revisit and reconsider their practices and policies.

A widespread public problem

Meanwhile, the UK’s data protection regulator has come under heavy criticism for failing to sufficiently protect the public from the risks of behaviour advertising, e.g., remarketing or targeted ads, which are ‘systematically’ breaking data protection and privacy laws.

Warnings were issued last summer that the growing AdTech (advertising technology) industry is already out of control, though little action has been taken to turn things around. The Information Commissioner’s Office previously agreed that real-time bidding (RTB) systems used in online advertising may be accessing and using people’s private information unlawfully.

 “We have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient,” commented Simon McDougall, the ICO’s executive director of technology and innovation.

 “The Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual.”

 “We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry, we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.”