Eldon could face ‘significantly higher’ fines as ICO launches audit

The Houses of Parliament and Big Ben

Eldon Insurance could be faced with fines that are “significantly higher” than the combined £135,000 it and Leave.EU have been ordered to pay if the Information Commissioner’s Office finds evidence of misdeeds in an audit of the broker.

Information commissioner, Elizabeth Denham, and ICO deputy commissioner, James Dipple-Johnstone, testified before a select committee on ‘disinformation and fake news’ this morning.

They discussed the findings of an investigation that saw Eldon fined £60,000 and Leave.EU fined a total of £75,000 for alleged ‘serious’ marketing regulation breaches.

According to the select committee, Eldon has now said that it notified the ICO at the time of one of the breaches, but the ICO claimed to have no record of this. 

“We did check with the company to provide any documentation as part of our enquiry,” Dipple-Johnstone said.

An audit will be carried out into Eldon’s use of personal data and fines could exceed the amounts already stipulated, as they would fall under data protection law.

Denham told the committee: “The audit will be conducted under Data Protection law. Fines could be significantly higher if we find misdeeds.”

General Data Protection Regulation came into effect in May this year. The maximum penalty is up to €20m (£17.5m), or 4% of a firm’s turnover.

While GDPR can only be applied for breaches that happened since it came into force and the recent fines levied on Eldon were for breaches outside of this time period, the ICO suggested it has sufficient concerns that the firm could currently have “ineffective systems” in place.

Denham said: “Specifically with Eldon we used our information notice power to compel them to provide information to us. But now we have the ability to go in and check through inspection or audit. It’s going to give us more leeway and more information to be able to make findings under the Data Protection Act. Because we have concerns about ongoing misuse of personal data. That’s what lets us through the door.”

“Our investigation is ongoing. We expect to be able to report within a matter of weeks,” Denham confirmed.

Further questions were raised by the committee over whether Eldon customers’ personal data may have been used in political advertising campaigns on Facebook.

Damian Collins MP asked: “Do you see any evidence of emails used from Leave.EU for Goskippy customers? Not just for emails or promotions. But whether those addresses could have been used for targeting on Facebook advertising?”

Denham confirmed that the commissioner is still investigating the concerns.

Appearing in front of a parliamentary select committee in June, Leave.EU donor and Eldon owner Arron Banks denied that there was any crossover between the two organisations, despite them operating from the same office.

However, appearing today, Dipple-Johnstone said that, during the campaign: “There was potential for a member of staff working for one to select a list from the other and therefore that has led to this incident where the marketing has taken place without due consent. So that would suggest the systems aren’t effective and therefore that’s what we want to audit to see if at a systems level that is responsible rather than an individual member of staff making an error.”

Asked by the committee whether the companies were “effectively working on one system with different mailing lists”, Dipple-Johnstone replied that “there is the potential for that to have happened.”

The ICO also confirmed it has spoken to a number of whistleblowers and has seized devices and 700 terabytes of data – which Denham said was equivalent to 52 billion pages of information – relating to controversial now-defunct data marketing firm Cambridge Analytica and parent company SCL.

Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan have declined to appear for questioning.

Customers of Eldon brand Goskippy that have received correspondence without consent were urged to report this to the ICO.

Leave.EU has not yet responded to requests for comment regarding the ICO’s report and findings. In April, Eldon denied that insurance data could have been used in political campaigns. 

Banks today tweeted: “So Damian Collins and crazy Carole Cadwalla [Guardian journalist] [and the] ICO find no evidence of a grand data conspiracy and find we may have accidentally sent a newsletter to customers. Damian Collins vindicative all Remain supporting committee have some answers of their own to answer!”

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: