The 25th May 2018 was dubbed as ‘D-Day’ or more accurately ‘DPA Day’ as the most profound changes to Data Protection laws in the last 20 years were enacted.
In advance of the deadline, and even after the deadline, many businesses were panicking about compliance, attempting to put into place Privacy Notices, procedures and trying to get their heads around the 80,000+ words that make up the General Data Protection Regulations. Whilst other business owners took the view that ‘it’ll never affect them’
10 months on and some business owners may feel that it hasn’t really had an impact, that the astronomical fines quoted haven’t materialised and that the legislation hasn’t been rigorously enforced.
Reaching these kinds of conclusions however could be disastrous for a business and many business owners have not yet realised the continuous obligations on them under the Data Protection Act 2018, nor the potential for personal liability or the possible impact of fines on their business. Other business owners I have spoken to have taken the view that the Information Commissioners Office (‘ICO’) are only interested in pursuing larger scale breaches such as the recent issues reported in respect of Facebook and Cambridge Analytica.
I have set out three recent cases below which have been before the ICO or the Court recently which flag up the changing attitude to data protection.
Personal Liability
The ICO have recently reported on two cases where individual employees of businesses were personally fined by Magistrates Courts in respect of Data Protection breaches.
The case of Faye Caughey involved Ms Caughey unlawfully accessing patient medical records of 14 individuals at her place of work with Heart of Englands NHS Foundation Trust, between February 2017 and August 2017. Ms Caughey was personally fined £1,000 plus legal costs and victim surcharge for the data breach.
In another case, Jayana Morgan Davis was fined £200 plus legal costs of £590 and a victim surcharge after she forwarded several work emails containing customer data to her personal email address.
It should be noted that both of the above matters were prosecuted under the Data Protection Act 1998 rather than the Data Protection Act 2018 as the breaches occurred prior to the enactment of the 2018 Act. Nevertheless these fines demonstrate the increasing severity with which the Courts are dealing with Data breaches.
The case of Leave EU and Eldon Insurance
It is not the intention of this blog to get embroiled in the rights or wrongs of Brexit but the ICO have recently announced that fines totalling £120,000 have been issued against Leave.EU and Eldon Insurance in respect of their handling of consumer data during the run up to the referendum.
Broadly this involved the sending of political marketing emails to customers of Eldon Insurance without the applicable consent of the data subjects.
Elizabeth Denham of the ICO said; ‘It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.’
The ICO have further issued assessment notices to allow the ICO access to Leave.EU and Eldon’s offices, documents and staff for further investigation. A further report will be prepared and published in due course. In addition they have issued an enforcement notice against Eldon to comply with e-marketing regulations.
Again, the offences occurred prior to the enactment of the 2018 Act and therefore I anticipate that the fines are considerably lower than they would have been had the offences been committed under the 2018 Act.
Recent County Court decision
I have personally been involved in a recent matter against a local business who had failed to comply with Subject Access Requests and failed to have appropriate procedures in place. The business argued that they were a small business with limit resources. Despite this the business handled very sensitive data and the Court were of the view that they had to set an example about such breaches.
The Court took a very hard line on this business and ordered the business to pay considerable legal costs given that the breach had occurred after the enactment of the 2018 Act.
Summary
It should be noted that the cases currently being reported by the ICO relate to breaches which occurred prior to the General Data Protection Regulations and Data Protection Act 2018 coming into force.
Nevertheless the implementation of the Act has already impacted on the way in which Courts and the ICO will treat data protection breaches. Data is a valuable commodity and the amount of data available and shared has increased significantly due to advances in technology. With these advances however comes a greater obligation on businesses to manage and protect data.
Just some of the steps which businesses must take include:
- Businesses must have a compliant Privacy Notice dealing with what data is collected, how it is used and the Data Subjects rights associated with the data.
- The Business must communicate the Privacy Notice to customers in a straight forward manner that is clearly visible and understood by Customers;
- Businesses must have appropriate contracts in place with suppliers, third parties, employees and agents which expressly deal with Data Protection issues.
- Businesses must continually risk assess processes and procedures, including specifically new processes or procedures, to assess the risk of data breaches;
- Businesses must have appropriate technological security in place;
- Businesses must ensure that staff have received appropriate training and that there is a clear data protection policy and process in place.
If you need advice regarding data protection processes, the Data Protection Act 2018 or ongoing support, please do not hesitate to contact Richard Coulthard at Ison Harrison Solicitors on 0113 284 5095 or alternatively email richard.coulthard@isonharrison.co.uk
