GDPR - The Cost of Getting it Wrong

GDPR – the cost of getting it wrong

In the UK, the Data Protection Act 1998 sets out how organisations must handle data and that includes a number of ways in which a company can be penalised.

The new legislation, the General Data Protection Regulation (GDPR) that comes into effect on the 25th of May introduces tougher penalties.

Let’s look at some of the fines issued this year under the DPA and the change to enforcement penalties under the new GDPR.

Currently, the penalties for companies not meeting their information rights obligations are:

  • Fines up to £500,000
  • Prosecutions, including prison sentences for deliberate breaches
  • Obligatory undertakings, where your company must commit to specific action to improve compliance

Fines Issued By the ICO in 2018

Here are four examples of fines large and small that have been enforced by the ICO in 2018 under the DPA.

April 2018
Local Government
Royal Borough of Kensington and Chelsea
Fined: £120,000

The Royal Borough of Kensington and Chelsea has been fined £120,000 after it unlawfully identified 943 people who owned vacant properties in the borough.

January 2018
Finance Sector
Carphone Warehouse
Fined: £400,000

One of the largest fines issued by the ICO was handed to Carphone Warehouse, who were charged £400,000 after one of their computer systems was compromised as a result of a cyber-attack in 2015.

January 2018
Finance Sector SME
Holmes Financial Solutions
Fined: £300,000

A Liverpool based SME, Holmes Financial Solutions, were fined £300,000 for making 8.7 million nuisance calls. According to the ICO, 8,792,907 automated calls were answered by subscribers, who had not given their prior consent to being contacted.

January 2018
Utility Sector
SSE Energy
Fined: £1000

SSE Energy Supply Ltd were fined £1000 after they send an email to an individual in error.

Once GDPR comes in to effect on the 25th of May 2018, the enforcement penalties are set to get much heavier.

How will the fines change under GDPR?

The fines to be issued under GDPR are potentially huge. Come the 25th of May, organisations face fines of up to;

  • 2% of their annual turnover, or €10 million, whichever is higher, for infringing GDPR’s code of practice.

Any recurring breaches of personal data may rise to;

  • 4% of turnover, or €20 million, again, whichever is higher.

The new GDPR fines are larger than the £500,000 penalty the ICO can currently wield and, according to analysis, last year’s fines would be 79 times higher under the new regulation.¹

Fines are a last resort

It is important to remember that the 25th of May is a starting point, not a deadline. GDPR is not solely about how you adapt to survive (i.e. avoiding fines), but how you adapt to thrive (i.e. gaining a competitive advantage).

Compliance won’t be achieved through fines alone. Elizabeth Denham, the UK Information Commissioner, said that there are other enforcement options beyond fines that the ICO could use. She said;

When we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.

None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.

Putting Consumers First

In a blog published on the Information Commissioner’s Office (ICO) website, Denham said she was concerned by reports suggesting the data regulator would be routinely handing out massive fines once the GDPR came into force on 25th May. She explains:

This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that”, continuing “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

Denham has stated that the ICO would rather work with organisations to improve practices and often a “stern letter” can be enough.  It’s worth noting that, the ICO office is likely to be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

Sources:

ICO, Guide to Law Enforcement Part 3 of the Bill – Penalties

ICO, Enforcement Penalites Listed by the ICO

¹ The Register, Last year’s ICO fines would be 79 times higher under GDPR, April 2017