The Information Commissioner’s Office (ICO) has fined CRDNN Limited the highest possible penalty there is, amounting to £500,000, for conducting approximately 193 million automated nuisance calls. Not only was this a massive breach of privacy, but it disrupted the lives of millions of people. In addition, contact information was misused.
The company operates out of a Clydebank business park. CRDNN was raided by the ICO two years ago in March 2018. The raid resulted in the confiscation of computer equipment and documents. This also helped in further investigations related to nuisance call operations.
The ICO investigation revealed that CRDNN was making roughly 1.6 million calls per day on topics such as window scrappage, debt management, window, conservatory and boiler sales between the tenure of 4 months from June to October 2018.
Some of these calls compromised the security of the individuals who were being contacted. For example, calls made at the Network Rail’s Banavie Control Centre clogged up the line for drivers and pedestrians at unmanned level crossings. This became an obstruction to the safety of the general public.
The caller IDs were ‘spoofed’ numbers, this means that the recipients could not tell who was making the calls. This meant that they could not be identified, stopped or blocked. There were several legal complications also. Overall, the company broke the law by misusing data, not obtaining consent from the phone owners and by not providing any valid opt-out or opt-in.
The ICO received more than 3,000 complaints about the nuisance calls. Andy Curry, Head of Investigations at the ICO, said:
“This company affected the lives of millions of people, causing them disruption, annoyance and distress. The volume of calls was immense and to add to people’s frustrations attempting to opt-out of those calls simply compounded their receipt of further calls.
“But through the cooperation of the public who brought their complaints to us, we were able to identify those responsible and take action against them.”
Both the General Data Protection Regulation (GDPR) and Data Protection Act of 1988 are pivotal and require companies to follow strict guidelines. Anyone in contempt shall be penalised the same.