When the General Data Protection Regulation (GDPR) came into force on May 25, 2018, many businesses did not feel ready for the changes and there was panic about the enforcements that were going to ensue. 16 months on and we are now seeing the first ICO decisions made under the Data Protection Act 1998 and it is clear that the ICO intend to enforce GDPR to the fullest extent.
Since the introduction of GDPR, the ICO has issued two notices of intention to fine under the new legislation:
On 8 July 2019 the ICO issued a notice of intention to fine British Airways £183.39m for contraventions of the GDPR. The ICO were notified of a cyber-incident in September 2018 involving traffic to the British Airways website being diverted to a fraudulent site. Through this fraudulent site, the personal data of approximately 500,000 customers were harvested.
Under the GDPR the ICO can seek a fine of up to 4% of a company’s global revenue, which allowed for this eye wateringly high fine against BA. The fine was record breaking and marks the end of any grace period given by the ICO for companies to become GDPR compliant. The decision shows how seriously the ICO is about ensuring that all companies entrusted with personal data implement reasonable security to protect it.
On 9 July 2019 the ICO issued a notice of intention to fine Marriot International £99,200,396 for infringements of the GDPR. Marriott failed to perform adequate due diligence when acquiring Starwood hotels group and as such failed to recognise weaknesses in its systems which exposed customer information to hackers. The consequence of this was a cyber-incident which saw the personal data of approximately 339 million guests compromised.
The fines against BA and Marriott are not final as the companies will have the opportunity to make representations in response and so they may therefore change. Whilst there have only been two sanctions announced under the Data Protection Act 2018, they do illustrate just how severe the consequences for a breach of the GDPR are.
In order to get a more rounded picture of the impact of GDPR, we must compare the decisions made by the ICO under the Data Protection Act 2018 in comparison to the decisions made under the Data Protection Act 1998. The decisions below have all been made over the summer of 2019 but have been assessed under the 1998 Act rather than the 2018 Act.
Recent data protection complaints upheld by the ICO under the Data Protection Act 1998:
Life at Parliamentary View
On 19 July 2019 the ICO fined this London estate agency £80,000 under the Data Protection Act 1998. The agency left the personal data of over 18,000 customer’s exposed for nearly two years, including bank statements and salary details. This breaches the seventh data protection principle which protects against the accidental loss or damage to personal data. Because the breach occurred between March 2015 and February 2017, they were fined under the 1998 Act rather than 2018 Act. Comparing the fine to those of BA and Marriott, we imagine that the company is relieved the timing of its breach did not fall under the GDPR!
The ICO has fined EE £100,000 for sending over 2.5million unsolicited marketing messages to customers. EE were in breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which restricts the sending of unsolicited communications by electronic mail.
Bounty (UK) Limited
The ICO decided to issue Bounty with a monetary penalty of £40,000 under the 1998 Act due to a breach of the first data protection principle (DPP1) contained in Schedule 1 of the Act. The company had collected customer’s personal data for membership registration through the website, app, and even directly from new mother’s in the maternity ward of hospitals. It then shared this data with third parties for the purposes of marketing without being clear to customers that the data may be used for this purpose. This was clearly a reckless breach of data protection rules.
Luckily for Bounty, the data was shared before the introduction of the GDPR so the potential fine was capped at £500,000, or this could have been a far more expensive mistake.
Most businesses have implemented processes to protect data and comply with the GDPR to various degrees of success. It is important to remember that GDPR compliance is not a box that can be ticked once, but must be an ongoing effort. The ICO dubbed it ‘an ongoing compliance journey’. As the GDPR is new, the last 16 months have been a whirlwind of evolving best practices, new guidance, learning and media focus. How confidently can you say you have kept up with all the developments?
What is also apparent is that the fines being issued often relate to the failure to implement appropriate ‘technical and security measures’ which is one of the pillars of GDPR rather than the deliberate misuse of data.
Some steps businesses must take to ensure ongoing compliance:
Check if your procedures need updating in line with new ICO guidance or changes within your business. It is important to risk assess these processes to spot any potential for breaches within your business.
- You must review your contracts with suppliers, employees, third parties and agents to deal with Data Protection issues.
- You will need to have a compliant Privacy Notice which communicates clearly to customers how their data is processed.
- Businesses keen to comply with the GDPR will have provided training to their employees when the new rules were introduced, but in order to keep compliance at the forefront of employees’ minds, refresher training is imperative. This will be particularly pivotal for teams that work regularly with data such as HR, marketing and IT.
- Ensure that you have taken appropriate steps to risk assess any weaknesses in your IT infrastructure including any vulnerability against cyber attacks.