August 27, 2019

How to avoid significant penalties as ICO issue first fines under GDPR

The Information Commissioner’s Office is finally flexing its GDPR muscles and recently gave notice of two substantial fines.

The ICO are hitting the headlines having issued their first fines under GDPR. British Airways face a fine of £183 million and Marriott Hotels £99 million for significant breaches to customers’ sensitive personal data.

The ICO normally only pursues financial penalties and prosecutions as a last resort. They prefer to utilise their own information and enforcement regime wherever appropriate.

However, in some cases, the implications of one single event or activity may be so profound that the ICO decides to make an example of it.

So far, most of their prosecutions have been under the 1998 Data Protection Act with a maximum £500,000 fine. However, GDPR has changed all that. The maximum fine is now £20 million rather than £500,000 or 4% of annual global turnover. That’s why BA and Marriott are currently facing such huge penalties.

Examples of activity that can lead to significant financial penalties under GDPR

  • Insufficient protection of personal data meaning that systems can readily be hacked and personal data inappropriately acquired
  • Compromising people’s personal data by using/failing to maintain filing systems. This can lead to people’s personal data being insecure and compromised putting individuals at risk of identity fraud
  • Accessing and viewing people’s sensitive personal data without authority
  • Not having appropriate data processing agreements in place with contractors who process personal data on your behalf
  • Failing to ensure the security of USB memory sticks, laptops etc. containing encrypted, sensitive personal data. The less of such items put data subjects at unnecessary risk
  • Putting the identities of individuals at risk by bulk emailing data without utilising appropriate security (e.g. using C.C. rather than B.C.C)
  • Viewing people’s sensitive personal data held legitimately on a database and then exporting it to unauthorised locations e.g. a personal email account
  • Sharing personal data with other organisations without authority and without informing the data subjects of your intention to do so
  • Retaining personal data for longer than necessary or for an inappropriate or unauthorised purpose

This is not an exhaustive list but examples of things that have attracted significant financial penalties from the Information Commissioner.

Businesses now offering to claim compensation for data breaches

Unfortunately that’s not where the problem stops. The “ambulance chasers”, perhaps seeing the end of the lucrative PPI regime in sight, are now offering to claim compensation for data breaches someone suffers. And the courts almost invariably hold the employer vicariously liable for the errors or omissions of its staff.

In addition, a breach can cause significant reputational damage and jeopardise an organisation’s future.

There are those who believe GDPR is akin to the Y2K “millennium bug” – just a myth or, at least, considerably overhyped. The reality is it’s not. These latest proposed fines demonstrate just how serious the ICO is about protecting personal data.

Next Steps

So now’s the time to take stock of what you’ve done to ensure your business is GDPR compliant. If you’ve not done anything or you’re not sure whether what you have done is sufficient, Moorepay is offering a detailed GDPR HR audit. To find out more please call 0345 184 4615.

Want a round-up of stories like this delivered to your inbox?

About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.