Is a GDPR breach worth the risk?

The ICO has issued a timely reminder, if ever we needed one, that GDPR compliance remains high on its agenda, global pandemic or not.

The data watchdog has slapped a £90,000 fine on American Express for sending four million marketing emails without the recipients' consent.

According to the ICO's official account, it started investigating when it received a small handful of complaints from customers that they were receiving marketing emails despite having opted out. The emails included details on the rewards of shopping online with Amex; getting the most out of using the card and encouraging customers to download the Amex app.

Amex defended its actions by claiming the emails were account servicing communications and not marketing, a defence that fell on deaf ears, primarily because the emails were designed to encourage the recipient to make purchases on their cards, which would benefit Amex financially.

What we learn

There are several things we can take from this case...including some myth-busters.

1. It only takes a small number of complaints to put the ICO on notice
2. There is no fine line between an account serving email and a marketing email. If you are encouraging somebody to buy or use your product in a way that would benefit your business financially, it is marketing. The ICO provides the official distinction here.
3. An opt-out is an opt-out and must be respected. Override it at your peril.
4. A negligent rather than a deliberate act will earn you some mercy, but not total clemency.

But...

£90,000 for four million errant emails calculates at 2.25p per email, a figure that will hardly register at Amex and will no doubt be swallowed up in the cost of the campaign. For the record, Amex made $1.4bn in profits in the last quarter alone.

For Amex, the reputational cost of the the rebuke and the time taken in defending it will be of more concern.

But what justification does the ICO now have for imposing a heavier tariff on a smaller business for a similar offence? At this rate, a 50,000 miscreant email campaign - large for most SMEs - would generate a fine of only £900, hardly a significant deterrent and some might even consider it worth the risk if a few sales could be generated from the activity.

My point is not to encourage a disregard for the GDPR. On the contrary, despite the fact it can be a pain in the backside for those of us in the business of legitimate marketing, the principles are important.

No, if the ICO is going to engender a genuine fear of getting caught, exemplary fines need to be proportionate to the coffers of the offender, perhaps even more so than to to the offence itself.