Lifecycle Marketing, the publishers of Emma’s Diary pregnancy guides, is in a whole heap of trouble because it sold personal data to the Labour Party. When it collected the data it told mums that it would share their data with other companies, but their privacy policy didn’t specifically state they might supply it to political parties – so once they did sell it to a political party, it meant Lifecycle was in breech of data protection legislation and this was the old Data Protection Act (1998) which isn’t anywhere near as tough as GDPR.
This story hasn’t come to a close yet though, because at the time of writing, the ICO has only announced that they will be fining Lifecycle Marketing, which is an unprecedented step in itself but it means we have to wait a few months for the full ruling to understand everything in full detail.
Our industry shares data and we should all be very careful of how we do that. Consider this example: a visitor walks onto an exhibition stand for a drinks reception and the exhibitor asks if they can scan the visitor’s badge.
It’s reasonable to say that the visitor gave permission for their data to be collected because they allowed their badge to be scanned. For the sake of clarity, it should be in the event organiser’s privacy policy that allowing your badge to be scanned by an exhibitor will mean your data will be passed to them but most people would understand that was the purpose of the scan anyway.
When you give permission for your badge to be scanned, you are giving permission for that company to be given your data. You are not giving permission for that company to share your data with other companies – stand sharers for example. The company that scanned the badge becomes a data controller and that gives them a responsibility to keep that personal data safe and if they want to share it with any other companies then they need your explicit permission separately.
So, be careful and be wary of any company that shares or sells you data even if they claim that they have the full permission of the data subject. The ICO says that companies receiving data have to have proof that the data is correctly permissioned, which means the data subjects had to understand clearly and easily who the data was going to be supplied to. In the past 18 months, the ICO has prosecuted a number of companies for using lists of categories of companies that were “too vague” for the data subjects to be able to understand where that data was going.
GDPR is in place to encourage companies to be responsible custodians of data. A company should consider that they only have data on loan; they don’t own it and so therefore they need to treat it with care. A good analogy would be that a friend may be happy to lend you their bike, but that doesn’t mean that they would be happy for you to lend their bike to someone else.
