PECR breach provides a good lesson
This is the first blog I have done in relation to the Privacy and Electronic Communications Regulations for some time and it’s been prompted by a compliance breach that I came across a couple of weeks ago that I thought would be worthwhile sharing.
Fred started work as a sales executive with Acme Inc, a start-up micro business on Monday. He thought he’d use his initiative and browse the internet looking for suitable B2B sales prospects. It was Fred’s first job and he joined Acme via a graduate sales recruitment business completing his basic sales training with a professional sales training company. Fred had been trained to drum up leads using this kind of research method.
He found the website of a potential target company which had a phone number emblazoned all over its home page in large red characters and so he called it to see if the company might be interested in finding out more about his new employers’ products and services. Fred thought that as the number was in the public domain and the published number of a business – that it would be ok to call. The number was a mobile number.
The individual who the sales exec spoke to, Mr Smith, was understandably pretty grumpy about being called and asked where the sales exec had got his number from. “It’s on your web site” said Fred. Mr Smith told Fred that the number was registered on the telephone preference service (TPS) and therefore he was breaking the law by calling it.
I was asked to comment on the scenario and advise what should be done.
Privacy and Electronic Communications Regulations
My reading of the situation is that Mr Smith is of course correct – a mobile phone number that has been registered with the TPS should not be used by data controllers or their staff for unsolicited direct marketing calls. The fact that it is in the public domain is not relevant. As it turns out Mr Smith runs a small business and has a web site to provide information about and promote his services. He has published his phone number on the site so that prospective customers can get in touch with him – in fact it says this fairly clearly on his home page in a kind of reverse privacy notice if you like … “please call to make enquiries about our services”.
Mr Smith has chosen to register that number on the TPS specifically to stop people (like Fred) finding his website and calling to sell him something. Of course all individuals have certain rights set out in information rights law that are designed to protect our privacy and allow us to object to and subsequently prevent unsolicited direct marketing by whatever means.
I have to say that the sales guys felt that they had been tricked. They felt that anyone who publishes a phone number on a business website should not be surprised to receive calls – a popular mis-conception that still prevails many years of PECR.
So – what did we advise the client to do? Bearing in mind this is a 4-person company the fix had to be effective but not overly expensive nor resource hungry.
Initially Fred’s manager called the individual to apologise and promised to implement process changes to prevent a re-occurrence – which he did. We provided a training session on PECR and produced an informational poster for display in the sales office to remind the sales execs of the rules of engagement. We also investigated implementing a database level TPS suppression process to run daily to apply updates to phone numbers that appear on the suppression lists – but coming in at a £5k fix, the client instead implemented a manual TPS screening process through a useful and excellent TPS/CTPS checking website (https://www.tpschecker.co.uk/).
So what learnings from this exercise? Having spent the last few months immersed in GDPR I really enjoyed getting back to basics with some good old telesales and PECR work – but I was surprised to find the mis-conception still exists that personal information in the public domain is unequivocally “fair game” for outbound unsolicited tele-marketing.