• gdpr
  • November 16, 2020

ICO Fines - Not Just Big Companies Under Scrutiny on GDPR

By Lawbite Team

Book a call
article
The supervisory authority for GDPR compliance, the Information Commissioner's Office (ICO), has recently published its decision to fine British Airways (BA) £20 million. This followed its failure to protect the personal and financial details of over 400,000 BA customers.   

Personal data exposed included names, addresses and payment card details. User details of BA employees and some BA Executive Club accounts were also potentially accessed. 

The fine is the largest imposed to date by the ICO for breach of the General Data Protection Regulation (GDPR). Maximum fines imposed by the authorities may be up to 4% of the total worldwide annual turnover or 20M Euro, whichever is the greater. 

The breach happened as a result of a cyber-attack and the ICO found that BA as a data controller, failed to process personal data in a manner that ensured appropriate data protection security, as required under GDPR compliance. The investigation by the ICO confirmed that the airline was processing a significant amount of sensitive personal data without adequate security measures in place, with weaknesses in its IT security which could have been remedied at the time to avoid a data breach. 

Other recent fines

The ICO has also recently taken enforcement action recently with a breach notification against Experian, ordering it to make fundamental changes as to how it handles personal data within its direct marketing services. 

Just a few days ago, Ticketmaster were hit with a £1.5M fine.

But if you believe that the ICO only has large business in its sights regarding some form of data breach, you would be very much mistaken. Many much smaller firms are finding themselves on the end of an expensive GDPR fine issued by the ICO.

Reliance Advisory that operates in the field of claims management services such as mis-sold PPI, had a £250K fine imposed by failing in their electronic marketing towards the way they handled customer data.  

Many other small businesses have also been caught out by making unsolicited direct marketing calls - with fines in excess of £100K for not meeting a specific GDPR requirement.

How to ensure compliance 

Both a data controller and data processor are required to take appropriate security measures, protecting personal data and taking into account the costs of implementation and the nature, scope, context and purposes of the processing.

What is a Data Controller?

The ICO defines this as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'

What is a Data Processor?

The ICO defines this as 'a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.'

An up-to-date IT Security Policy and procedures are necessary to be compliant with GDPR, including appropriate security measures that may include: 

  • Limiting access to applications, data and tools 
  • Undertaking rigorous testing by simulating a cyber-attack 
  • Protecting employee and third-party account with multi-factor authentication 

Other appropriate measures include: 

  • Pseudonymisation and encryption of personal data 
  • Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing

Being GDPR compliant 

Personal data security forms part of overall GDPR / data protection compliance. It is important to take necessary steps to have up to date compliance internal and external documents and procedures, often including: 

  • Data Protection Policy or Standard
  • Data Retention Policy 
  • IT Security Policy 
  • Contracts with any data processors / services providers 
  • GDPR language in your customer contracts 
  • Employee - related GDPR compliance requirements 
  • Assessment of marketing activities 
  • Data Privacy Notices, including for website
  • Cookie Policy 
  • Other necessary data processing documentation 

It is also important to train all staff and contractors on relevant GDPR compliance policies and procedures towards handling personal data, ensuring the right level of awareness and risk mitigation is in place.

GDPR and Brexit

UK will be seen as a country outside of the EEA (European Economic Area) from January 2021 (after the current transition period) while having the Data Protection Act 2018 in place that ensures that the provisions of GDPR are still applicable. 

All UK based businesses will still need to comply with both GDPR and other relevant EU data protection legislation while being based in UK, a country outside of the EEA, that does not have an official adequacy decision in respect of its data protection laws. 

You may need to have certain provisions in place, such as appointing a representative and having special contractual clauses if you offer goods or services to EEA or otherwise process personal data of individuals based in EEA, as well as ensure that your privacy notices are updated. 

LawBite can help 

As a starting point, everyone should visit our GDPR page. Here, you can find more details on what your business needs to consider. You can also arrange a data protection impact assessment, helping you with specific data processing questions or documentation you need to get into place to be GDPR compliant. 

You get a free, 15-minute consultation with one of our expert lawyers.

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read our latest blog posts on GDPR, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By Lawbite Team
  • March 26, 2020
COVID-19: Remote working and protecting personal data

Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed wi...


Gdpr, Coronavirus, Gdpr, Coronavirus, Gdpr, Coronavirus, Gdpr, Coronavirus
blog image
  • By Lawbite Team
  • March 19, 2020
Data protection and Coronavirus - What you need to know

Coronavirus and its spread across borders is a concern for employers and employees. While employers will be concerned to ensure their business’ con...


Gdpr, Coronavirus, Gdpr, Coronavirus
blog image
  • By Lawbite Team
  • January 30, 2020
Newsflash – ICO issue statement on GDPR compliance after Brexit

The ICO has published a statement on GDPR compliance after 31 January 2020 (the day that the UK leaves the European Union).   There are no big surp...


Gdpr, Gdpr, Gdpr, Gdpr, Gdpr, Gdpr, Gdpr, Gdpr

LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk To A Lawyer

Book A Call
defend a claim

Learn more about LawBite