So now we’ve entered 2019, it seems as good a time as any to stop and reflect on the action taken by the Information Commissioner’s Office (ICO) in 2018 with regards to data protection breaches, and consider what we can learn going forward to ensure that your business is not subject to a fine for breach of the new Data Protection legislation (GDPR).
Back in July of 2018 we began to cover the emerging trend of a stricter approach to data protection law enforcement by the ICO and it can be expected that there will be clear movement in 2019 with sterner levels of enforcement now that any possible grace period will be coming to an end.
The most significant data protection cases that occurred in 2018 involved:
Facebook and Cambridge Analytica
Brexit referendum campaigns
In November 2018, Uber was fined £385,000 for failing to protect customers’ personal information during a cyber attack. Records of 82,000 UK drivers (including details of their journeys and payment for those journeys) were hacked back in 2016. The ICO said the breach resulted from “a series of avoidable data security flaws” and resulted in an “increased risk of fraud”. The incident occurred prior to GDPR coming into force; under GDPR, the fine might have been significantly higher.
Key takeaway: Even for a company as large as UBER absorbing a fine for a data breach can mean a serious financial hit. However, if the breach had taken place under GDPR, the fine would have been significantly higher. We’ll keep a close eye on what happens in 2019 to draw insights on what the ICO’s new level of enforcement will be.
Amazon suffered a data breach, disclosing the names and email addresses of a number of users, just before Black Friday. The breach was due to a technical error on the website, not because of a security breach of its website or any systems. The ICO has said they are “monitoring the situation”. This breach occurred under GDPR, so if the ICO decides to fine Amazon, the fine could be significantly higher than previous cases we have seen.
Key takeaway: What we can see from this case is that there are a variety of ways in which your business can fall under the watchful eye of the ICO. Even unintentional technical faults which lead to a data breach will be considered as maybe warranting a large fine under GDPR. This case shows that you must have emergency contingency planning in place to help you be best prepared for the unexpected.
The owner of Currys, PC World, Carphone Warehouse and Dixons suffered a data breach affecting 10 million individuals. Their processing systems were infiltrated by hackers, causing a leak of names, addresses, email addresses and information on 5.9 million payment cards. The ICO is working with the National Cyber Security Centre, the Financial Conduct Authority and other authorities to investigate the breach and work out the impact it had on customers.
Key takeaway: Cybersecurity and the threat from sophisticated hackers has been one of the prevailing themes of the last few months. While we await the final outcome on this data breach we can assume that if there are any data security failings found to be on the side of Dixons then the ICO will act.
The ICO fined Facebook, under the previous data protection rules, £500,000 for failing to ensure that a third party company, Cambridge Analytica, had deleted users’ personal data in line with Facebook’s policies and procedures. Under new rules, which allow for a fine of 4% of annual global turnover or EUR 20 million, whichever is greater, the fine could have been $1.6 billion.
Key takeaway: £500,000 versus £1.6 billion anyone? That’s a huge scale-up under what happened under GDPR and motivation enough to ensure that your data protection policies are watertight.
In November, the ICO said it was ready to fine Leave.EU and a related insurance company for breaching data protection rules. More than 1 million emails were sent to Leave.EU subscribers which contained marketing materials for Eldon Insurance, which was linked to the Leave.EU campaign. The fine is expected to be £135,000.
Key takeaway: This is an interesting one. In comparison to some of the big brands mentioned here, this seems rather small but anything to do with Brexit and alleged wrongdoing in the referendum will continue to attract plenty of attention and will indicate the example that the ICO wishes to set for others.
British Airways was hit by a cyber attack between 21 August and 5 September 2018. During this time, 380,000 booking transactions were stolen, including bank card numbers, expiry dates and CVV codes. British Airways reported the breach to the ICO within 24 hours.
The ICO’s investigation is ongoing, but they could be fined 4% of its annual turnover, which is £500 million. This is despite British Airways’ quick reporting, which highlights the importance of having effective controls and procedures from the outset. Quick reporting will not eliminate the scope for a fine from the ICO. Any fine British Airways receives will also be in addition to any compensation they might have to pay to customers who have suffered fraud as a result of the breach.
Key takeaway: It seems BA have followed best practice for when a business falls prey to a cyber attack, however, this could attract a severe fine from the ICO because of the sheer scale of the data involved. It’s one for all to monitor to see how the available punishments under GDPR are deployed in such instances.
What do these actions tell us about the ICO’s enforcement strategy?
The ICO has not wasted much time in enforcing cases under GDPR, as well as continuing to bring actions under the old Data Protection Act 1998. Whether the breach relates to a security breach, a process failure or email marketing, the ICO is very active in investigating what went wrong, what should have been done instead, and then proceeding to find the company involved.
Small businesses should not assume that the ICO is only interested in the bigger players. The ICO can and will intervene in all data protection breaches. Remember, it only takes one complaint from a data subject for the ICO to start investigating a business’ processes and procedures.
It is imperative to ensure that you comply with all of the points above in order to be compliant with GDPR. Remember that the scale of the fines makes non-compliance not an option. Our suite of GDPR products provides the ideal solution to get your business fully compliant.
While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.
The author of this article is expert LawBrief Barbara Jamieson. For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.