The Information Commissioner’s Office (ICO) is sending out painful warning signs as we rocket towards the EU General Data Protection Regulations (GDPR) coming into effect next year, in 2018. It has recently hit Honda and Flybe with a combined £83,000 fine after the two companies were found to have sent marketing emails to customers without having consent in advance.

The ICO first led an investigation in 2016 that exposed that the budget airline Flybe had sent 3.3 million emails to customers who had actively opted to not receive such material.
A £70,000 has been issued to Flybe, and £13,000 to Honda.

In Honda’s case, the fine came about while they were trying to comply with the data protection principles. They had hoped to clarify the marketing preferences of their recipients. This was because Honda had records of email addresses but not of either an “opt in” or “opt out”. Their emails were entitled – “would you like to hear from Honda?” Honda viewed this as a “service email” and they argued they were attempting to maintain compliance with the data protection principles but the ICO disagreed.

The forceful response to the misdemeanour comes at a time when the value of data-privacy an extremely important issue. The General Data Protection Regulation (GDPR) outlines the possibility that an organisation can be hit with a fine amounting to up to four per cent of annual turnover.

This move also comes in light of the fast approaching GDPR initiative that is set to ramp up the regulation on data maintenance, control and retention.

The ICO’s Head of Enforcement, Steve Eckersley said “both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law”.

Tim Dimond-Brown, head of EMEA North at GMC Software, had the following to say: “While most focus on the GDPR to date has been on security, these penalties from the ICO make clear that organisations need to answer much more basic questions on how they store customer data and actually communicate with customers. The right to privacy is a fundamental part of the GDPR; meaning that every single communication, and every process behind it, must be made with this in mind.”

Organisations looking to seek clarity from their customers and recipients as to their “opt-in” preferences, should be cautious of their approach. The ICO have issued a guidance which all compliance teams responsible for DPA (Data Protection Act) compliance should be asked to read this.
For further information, please contact Koichiro Nakada – Head of Japan Business Group ( and Yoko Nakada - Senior Associate, Deputy Head of Japan Business Group (
The information and any commentary on the law contained in this bulletin is provided free of charge for information purposes only. No responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by Lewis Silkin LLP or Centre People Appointments. The information and commentary does not, and is not intended to, amount to legal advice and is not intended to be relied upon. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not rely on the information or comments in this bulletin.

This information is supplied by Lewis Silkin LLP www.lewissilkin.comm

Article top