Fri 03 May 2024

Outsourcing marketing and communications: Avoiding risks and ICO enforcement

The Information Commissioner’s Office (ICO), as regulator of data protection and direct marketing practices in the UK, has recently fined Outsource Strategies Limited and Dr Telemarketing Limited a total of £340,000 for nuisance calls.

Together, the companies made almost 1.43 million calls to individuals on the UKs ‘do not call register’ (Telephone Preference Service) and there was evidence of the callers targeting elderly and vulnerable people. Recent enforcement by the ICO indicates that the regulator continues to take a proactive approach to crack down on non-compliant marketing practices.

It is important that organisations take steps to manage and mitigate risks involved with outsourcing matters related to marketing and communications.

Who is responsible?

When organisations engage marketing providers, webmail providers or lead generators to conduct services on their behalf, in most instances it is the instructing customer who is the ‘controller’ of any personal data used to perform the services. Controllers have ultimate responsibility (and liability) for personal data under data protection laws.

Responsibility for complying with PECR (the specific Regulations which deal with direct marketing) rests with the sender, caller or instigator of the direct marketing message.

So, although your organisation may wish to rely on the expertise and resources of a third party provider,  when your organisation is the instigator of the marketing or the controller of any personal data to be used, your organisation must ensure that the service provider’s practices are compliant.  

It is also worth noting that, in most cases, when your organisation is using a social media platform for targeted advertising, your organisation will be a controller (and generally a joint controller with the platform) in relation to personal data used for the targeting – this is because you are instigating the targeting and setting the parameters.

Recorded due diligence

Whether your organisation is seeking to increase its audience by purchasing contact details from a data broker or considering outsourcing the screening of its marketing lists against TPS, it is essential that your organisation conducts due diligence on the service provider’s practices and, where relevant, data.

Exactly what due diligence is required depends on the nature of the services being outsourced, and what risks might attach to services or data. For example, when using a data broker, your organisation will wish to understand, among other things, where the data originates from, how it is kept up to date, what individuals are told when the data is collected, how valid consents are collected, etc.

Whenever a processor is engaged, regardless of the service, the UK GDPR expects that controllers have satisfied themselves that the processor has adequate security measures in place, and this requires understanding what those measures are.

The answers to due diligence should be recorded for accountability purposes, and you will most likely want copies of the provider’s related protocols and procedures.

Do your contracts protect you?

Whenever a controller uses a processor to process personal data, a written contract that binds the processor to the controller is required. Data protection law stipulates what a data processing agreement must include, but when the processing relates to marketing, lead generation or list buying, additional consideration will require to be given to (a) guarantees and warranties provided by the provider, (b) indemnities to be provided by the provider, (c) any attempts by the provider to exclude or limit liability, and (d) SLAs (e.g. how often consents are to be refreshed, how often lists are to be screened, etc.).

Don’t forget about your own organisation’s obligations

Once organisations have completed their due diligence on providers and put in place robust contracts, it can be easy to forget that the organisation itself will have additional obligations to ensure compliance. For example, when using a data broker, upon receipt of the contact details, your organisation (as the controller) is required to provide individuals with a privacy notice explaining how your organisation will use their personal data (and this must be done before any marketing is conducted). 

How can we help?

Should you have any queries in relation to outsourcing and/or more generally wish to discuss your compliance with the data protection laws, please do not hesitate to get in touch with Valerie Armstrong-Surgenor, Partner, or Melissa Hall, Associate, in MFMac's Data Protection team.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice