It has now been over 20 months since GDPR came into effect in the UK. As most organisations will now know, these regulations have dramatically increased the onus on organisations to take a proactive approach to data protection compliance and reduce risk around the way they handle data. The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulatory authority which is responsible for monitoring and enforcing compliance with data protection law. Where there has been a personal data breach or a failure to comply with data protection obligations, the ICO has a number of powers available to including:
- Information notices;
- Enforcement notices;
- Penalty notices; and
- Inspection powers.
The monetary penalties for failure to comply with data protection are potentially severe. The ICO is typically a regulator which aims to assist and encourage compliance but is not averse to issuing sanctions where necessary.
In the last financial year, the ICO issued a record-breaking total of financial penalties on organisations – 55 fines totalling £5m for breaches of the Data Protection Act 2018 the Privacy and Electronic Communications Regulations. This article summarises the significant enforcement action taken last year (2019) and considers the enforcement notices issued by the ICO in the last 6 months.
Significant enforcement action in 2019
In July 2019 the ICO issued notice of its intention to impose fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. Although these two cases have not yet reached a final outcome, these are the first intended fines by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority to date. As the fines affected individuals in multiple Member States, the ICO has been required to liaise with other EU regulators.
The fines highlight the importance of companies ensuring that robust security measures are in place to protect personal data and undertaking appropriate due diligence in corporate mergers and acquisitions. As the EU regulators are encouraged to adopt a consistent approach to the imposition of administrative fines, the ICO’s fines serve as a warning to companies of the level of GDPR fines that may be imposed by other data protection authorities in the case of breaches arising from weak security measures.
The £183.39m fine which the ICO proposes to impose on BA concerns a cyber incident that is believed to have begun in June 2018, and was reported by BA to the ICO in September 2018. The incident involved user traffic to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. As a result, personal data, including names and addresses, as well as log in, payment card, and travel booking details of approximately 500,000 customers were compromised. The ICO’s fine was imposed as a result of BA’s alleged failure to implement appropriate security measures to protect its customer’s personal data. The fine constitutes 1.5% of BA’s worldwide turnover for 2017. Under the GDPR, EU Data Protection Authorities have the power to impose fines of up to €20m or up to 4% of annual worldwide turnover for the preceding financial year, whichever is higher.
The £99.2 fine which the ICO proposes to impose on Marriott relates to a cyber incident which was notified by Marriott to the ICO in November 2018. The personal data breach involved approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the EEA. The breach is believed to have begun in 2014, when the guest reservation database of the Starwood Hotels group was compromised. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO believes that Marriott failed to undertake sufficient due diligence when it acquired Starwood and should also have done more to secure its systems. The potential fine shows the importance of purchasers conducting comprehensive due diligence in corporate mergers and acquisitions for the purpose of ensuring the vendor has complied with data protection law and, in particular, that robust security measures have been put in place to protect the personal data that is being acquired. In addition, purchasers should have due regard to these issues in the negotiation of warranty and liability provisions in the acquisition documentation (including any permitted knowledge qualifications).
These fines show the ICO is taking a strong stance against data controllers who fail to implement appropriate security measures to protect customers’ personal data, and is prepared to issue substantial fines where necessary. However, it is noteworthy that the ICO’s Annual Report for March 2018-2019, which was published shortly after notification of these fines was issued, indicates that in 82% of the personal data breaches assessed and closed over the past year, the ICO determined that no further action was required, on the basis that the organisation had appropriate measures in place or was taking steps to address the breach. The ICO only required data controllers to take further action in 17% of cases. Less than 1% led to action beyond that, such as improvement action plans, further investigation audit visits, or civil monetary penalties being pursued. Though three major fines were issued by the ICO against Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) as a result of failures in cyber security.
Summary of enforcement action in the last 6 months
DSG Retail Limited have been fined £500,000 under the Data Protection Act 2018 (DPA) after a ‘point of sale’ computer system was compromised as a result of a cyber-attack affecting at least 14 million people. An attacker installed malware on 5,390 tills, collecting personal data over a 9-month period before the attack was eventually detected. Despite this criminal attack, the company was also at fault due to its failure to secure the system which allowed personal information to be compromised. The ICO also held that the company had breached DPA by having poor security arrangements and failing to take adequate steps to protect personal data including inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
Careless storage of data
Unlike the previous case this is one of the few cases which has been brought under the General Data Protection Regulation 2018 (GDPR). Doorstep Dispensaree Ltd was fined £275,000 for failing to ensure the security of special category data. The company, which supplies medicines to customers and care homes, left appropriately 500,000 documents in unlocked containers at the back of its premises. These documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
There has also been a trend over the last few months of individuals being prosecuted for inappropriately accessing records. The breaches include forwarding work emails and personal data to home email addresses or accessing date after having left a particular job with those penalised including council officers and social workers. The penalties range from 6 month conditional discharge with an order to pay costs of £700 to the victim, to a fine for £450 and an order to pay additional costs to the victim.
Unlawfully obtaining and selling personal data
A former managing director of a claims management company that obtained and sold personal data relating to car insurance policy holders was prosecuted. David Cullen was found guilty of 21 counts of obtaining and selling data unlawfully at Manchester Crown Court. He was fined £1050, ordered to pay costs and disqualified as a director for 5 years. The proceeds of the activity which totalled £1,434,679.60 were also confiscated under the Proceeds of Crime Act 2002. However, due to Mr Cullen’s lack of assets, a nominal order of £1 was made.
Making it Easy Ltd and Superior Style Home Improvements Ltd have been fined £160,000 and £150,000 respectively for making nuisance marketing calls. Both companies called people whose numbers were registered with the Telephone Preference Service and who had not given their consent to receive them.
The ICO fined EE Limited, the telecommunications company, £100,000 for sending 2.5 million unsolicited communications to customers without their consent. The ICO considered the breach to be sufficiently serious given its scale and taking into account that EE were aware that messages were deliberately sent to individuals who had said they did not consent to receiving direct marketing.
Subject Access Request
The ICO has also issued Hudson Bay Finance Limited with an enforcement notice due to a complete failure by the data controller to supply personal data requested by way of a subject access request under DPA. The individual requested her data in writing in May 2018 but the company failed to respond and she contacted the Commissioner. However, despite the involvement of the Commissioner the company still failed to response. The ICO issued an enforcement notice and a failure to comply is a criminal offence.
The conversation around data protection has gained significant traction following a number of recent high-profile cases. Many of these cases have involved organisations that almost everyone will be familiar with or given their own data to at some point. For this reason, it is no surprise that individuals are increasingly questioning how their personal data is being used and organisations are taking steps to ensure they are continuing to improve their compliance and reduce risk. For breaches that are less serious, however, the ICO’s approach continues to demonstrate a preference for the carrot rather than the stick where appropriate and, where an organisation can demonstrate that data protection is taken seriously, the ICO’s response is more likely to be supportive than punitive. It is therefore important to keep an ‘audit trail’ of decisions concerning data protection and to ensure you and your staff remain up to date with developments.
Burnetts advises many organisations in relation to their duties under data protection law and how to improve compliance. If you have any questions, feel free to get in touch 01228 552222.