ICO Investigations 2021

ICO Investigations 2021

The Information Commissioner’s Office (ICO) is the UK’s independent regulatory body designed to uphold and regulate laws surrounding data protection, communications and networking. The ICO is also responsible for enforcing the EU’s General Data Protection Regulation (GDPR).

The data protection watchdog has a variety of powers to enforce that these strict procedures are upheld by organisations that process and store personal information. It is vital that any company with access to such data is registered with the ICO.

For companies that have fallen foul of the exacting compliance required, the ICO can issue, in worst-case scenarios, fines up to £17.5 million or 4% of the organisation’s total global annual turnover. Such failures could include data breaches or potential negligence. Even failure to notify the ICO of an issue could carry a fine of up to £8.7 million or 2% of the annual worldwide turnover.

Most of us will be aware there have been some high profile data breaches recently, such as the Irish Health Service data breach in May 2021, but whether a cyber attack or employee error, the ICO also deals with other types of data protection breaches.

From January to July of this year, 2021, the ICO has finalised a number of investigations and issued organisations with fines and future recommendations and guidance. These findings included unsolicited emails, text messages, calls and data breaches.

American Express

American Express Services Europe Limited (AMEX) has recently been fined £90,000 for their mishandling of over four million marketing emails.

Between 1 June 2018 and 21 May 2019, AMEX sent over five million emails to customers and, after numerous customer complaints, an investigation was launched. A staggering 4,098,841 were deemed as marketing emails, which the customer had not given prior consent to receive. The emails contained information such as rewards for shopping online, getting the most benefits from their AMEX cards and inviting consumers to download their app.

AMEX had inferred that the emails were ‘service’ emails rather than marketing emails, but the ICO determined that the emails were deliberately designed to encourage customers to use their cards, leading AMEX to gain financially.

The ICO has clear definitions of service emails and marketing emails, which you can view here. Services emails may contain changes to terms and conditions, or payment plans etc. Marketing emails are directed to particular individuals promoting advertising and marketing material. Sending marketing emails to people without prior consent is against the law.

We Buy Any Car

In September 2021, We Buy Any Car was handed a £200,000 fine for sending unsolicited emails and nuisance texts.

Following 42 customer complaints to the ICO over a 12 month period, the watchdog found that 191 million emails and 3.6 million SMS messages were sent to people that had requested an online car valuation. Initial emails were found to be within the stringent guidelines, but subsequent emails promoted We Buy Any Car’s services, without prior customer consent. Customers must also be provided with a clear understanding of what they are opting into.

Sports Direct

2.5 million emails were sent to customers that Sports Direct had not had contact with for some time, as part of a re-engagement campaign between December 2019 and February 2020.

The ICO’s investigation found that Sports Direct had no evidence to prove customer consent, and they were fined £70,000.

Your Home Improvements Limited

The ICO is also obliged to investigate nuisance calls, not just emails or text messages. Your Home Improvements Limited was fined £20,000 in September 2021 for making unsolicited calls to customers registered on the Telephone Preference Service (TPS). The TPS is a free service allowing individuals to opt out of unsolicited calls and have their preferences logged on an official register.

Only four individuals made a complaint to the ICO and TPS, but this was enough to warrant a further review.


Mermaids, a transgender charity, was fined £25,000 in July 2021, due to a data breach only discovered in June 2019, by failing to keep users’ personal data secure.

The ICO found the organisation had insufficient security settings and 780 pages of confidential emails could be found online for almost three years. Names and email addresses of 550 people were readily searchable online, some of which had extremely sensitive data attached, such as mental and physical health status and sexual orientation.

The ICO determined that the company had a ‘negligent approach towards data protection, inadequate policies in place and a lack of staff training.’

The organisation has worked with the ICO since the breach and stringent safeguards have been implemented, along with considerable improvements to their data storage process.

Any company, no matter what size, is expected to adhere to the laws governing our data protection, ensuring it stays legally secure. With so many parts of our lives requiring the use of our personal information, from banking to health care, online shopping and social media platforms, it is imperative that our data is stored securely and only accessible with our permission. It is not an unreasonable demand that it should stay that way.

To protect our partners, we require that they follow all applicable local data protection requirements, including GDPR in the UK and CAN-SPAM in the US.