Outsourced DPO – ignore the ICO at your peril

By Myles Dacres

Studios MG, a small software development company was issued with a monetary penalty notice in the sum of £40,000 last month for sending unsolicited direct marketing materials by email with out consent.  Reading the ICO’s report(https://ico.org.uk/media/action-weve-taken/mpns/2618388/studios-mg-limited-mpn.pdf), it seems that SMG were not readily forthcoming in engaging with the ICO during their investigation.  Chalk and cheese really compared to the lengths Marriott in particular went to in providing mitigating evidence to the ICO.  This is definitely something to learn from the recent MPNs – ignore the ICO and expect harsh treatment.


The Outsourced DPO couldn’t quite figure out why SMG, a software design and build consultancy, was sending emails to people about face masks.  Perhaps they thought it was something it should do to help people, or maybe it was for commercial gain of some sort.  What is clear is that SMG didn’t really have a clue where they had got specifically got the email addresses from other than “LinkedIn connections, events, [and] people who had emailed [the director]”.  In fact they claimed not to know how many emails they had sent and estimated it to be between 8,000 and 9,000.  Not wishing to be controversial, but that works about at about £4.50 to £5.00 per email.  Quite a lot more than the per capita equivalent of the Marriott fine.  Does that mean that failure to obtain consent and unlawfully sending direct marketing by email as a one-off is more serious a transgression than weak security over a number of years leading to a massive personal data breach?

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021