Myerson Logo
Home > News & Library > News and Views > Corporate Commercial > Further fines issued as ICO maintains tough stance on data breaches

Further fines issued as ICO maintains tough stance on data breaches

Written by Myerson on . Posted in Corporate Commercial

At some time or another, most of us will have received one of those annoying marketing calls, texts or emails asking if we’ve been involved in a road traffic accident or been mis-sold PPI, and have no doubt responded with “how did you get this number?” or simply blocked the caller. However, what many of us don’t realise is that at some point we will have either expressly or (more likely) inadvertently given our consent to being contacted by these parties for marketing purposes. This can be, for example, when we make an online purchase or enter a competition and omit to tick that tiny box to confirm that we don’t actually want to receive such marketing communications!

Where consent has been given, such direct marketing is perfectly legal, but where no consent has been obtained, recipients can report the unsolicited communications directly to the Information Commissioner’s Office (ICO) or the Groupe Speciale Mobile Association (GSMA), an organisation that represents the interests of mobile operators worldwide.


Businesses can be in a difficult position. They are not always involved in the process of obtaining consent, rather, they rely on the third party data suppliers to conduct appropriate due diligence when purchasing data sets or to obtain the necessary consents at the point of collecting the data. As such, it is common for businesses to claim they were not aware that the appropriate consents had not been obtained. However, the ICO has little sympathy for this excuse. Its view is that it is not acceptable for businesses to rely on third party assurances and that they should undertake their own proper due diligence in these circumstances. The ICO has recently issued some hefty fines to businesses for failing to obtain the appropriate consent before sending marketing communications.

Recent Fines

In May 2017, the ICO issued Radcliffe based used-car dealer Concept Car Credit Limited with a £40,000 fine for instigating the sending of over 300,000 marketing texts. Concept Car Credit argued that it had obtained the data used to send the text messages from third party data suppliers, however, the ICO confirmed that, as the instigator of the texts, it was Concept Car Credit’s responsibility to ensure it was only texting people who had consented to receive the marketing. Organisations cannot rely on assurances of indirect consent without undertaking proper due diligence.

The ICO has also fined Onecom Limited £100,000 under similar circumstances. Here, Onecom sent millions of spam texts without proper consent in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In fact, Onecom could not even provide evidence explaining the source of the data used to send the text messages. The ICO reiterated that organisations must undertake rigorous checks to satisfy themselves that the necessary consent has been obtained.

Enforcement action by the ICO hasn’t been restricted to large corporate entities. Since December 2016, the ICO has issued significant fines totalling £181,000 to a number of Charities for breaching the Data Protection Act (DPA) and the PECR (for more details on this see our blog “Have you donated more than just your money?”).


In light of the above decisions by the ICO, it is important for organisations to only send marketing communications to individuals who have specifically consented to receiving such communications from the sender, and the sender has carried out its own due diligence in relation to any third party data it is using. It is clear that particular care must be taken when relying on “indirect consent”, for example, when purchasing marketing lists from third parties.

If you have any questions about marketing and/or use of databases, please contact our Corporate Commercial team by phoning 0161 941 4000 or e-mailing

MSI Global Alliance

Myerson is the Manchester and Cheshire law firm member for MSI Global Alliance, a top 20 ranked, international association of professional firms.

Learn more...


Myerson act for a wide variety of clients across various sectors.

Learn more...


Read what a selection of our clients have to say about us.

Learn more...

Myerson Promise

We proudly offer our clients a promise which is at the cornerstone of everything we do. We always keep your specific concerns at the forefront of our minds.

Learn more...

Myerson Solicitors LLP
Grosvenor House, 20 Barrington Road, Altrincham, Cheshire, WA14 1HB

Tel: +44 (0)161 941 4000

Solicitors Regulation Authority
MSI Global
Law Society
Legal 500