It’s been a busy summer for the Information Commissioner’s Office (ICO) which has announced more than £280 million in fines for data protection breaches in July alone.
The message is clear, the ICO intends to be a vigorous enforcer of the GDPR and the UK Data Protection Act 2018. Since GDPR came into force, 66 enforcement notices have been issued. While some of these will relate to breaches of the DPA 1998, the headline-grabbing fines issued to Marriott (£99m) and British Airways (£183m) show that the penalties for infringing the new legislation will be high.
The Information Commissioner, Elizabeth Denham, shows unequivocal support for the spirit of the new laws; organisations trusted with personal data must look after it. Those that don’t will face scrutiny from her office, which, as the ICO advised guests at our House of Lords debate on the subject back in March, has almost doubled in size in the last 12 months.
So, what do the newly-issued notices tell us?
While both the Marriott and British Airways incidents related to cyber breaches that have generated a flood of calls to cyber security firms, there are other internal procedures that need to be properly in place if organisations are to feel confident they have taken all the necessary steps to comply with the laws.
With regards British Airways, there is speculation that the duration of the breach (reportedly 15 days) and possibly a delay in reporting and remedying the breach may have contributed to the size of the proposed fine which represents 1.5% of BA’s 2017 global turnover. To mitigate against this, organisations must:
- have a protocol in place governing breaches,
- regularly check IT systems and storage facilities so that any beach is swiftly identified and rectified; and
- ensure that staff are aware of who they should notify should a breach ever occur.
In their statement of intent to fine Marriott, the ICO commented that in their view, Marriott had failed to undertake sufficient due diligence when it acquired the Starwood hotels group, whose systems were compromised, and should have done more to ensure the new company’s data storage was secure. Privacy and data security due diligence must be carried out prior to any acquisition; a failure to do so will compromise any defence should data breaches occur in a newly acquired entity.
However, it is not just large multinationals that the ICO has in its sights. The most recent notification (at the time of writing) was issued to London estate agency Parliament View, fined £80,000 for leaving the personal data of over 18,000 customers exposed for almost two years. During its investigation, the ICO uncovered a catalogue of security errors and concluded that the agency had ‘failed to take appropriate technical and organisational measures against the unlawful processing of personal data’. Among the specific procedures found wanting were the failure to train staff, the use of an insecure file transfer system and a failure to monitor.
It is clear that organisations failing to put adequate procedures in place to protect any personal data they hold from loss, damage or theft will face a very real threat of prosecution by the ICO. This will include understanding the risks, ensuring that appropriate management and governance is in place, establishing a secure environment supported by robust operational practices and above all, regular monitoring.
While eyes will be on these cases, as attempts to mitigate these fines unfold, wise businesses will be investing in the necessary assurances that the personal data they hold is properly protected and used responsibly. Tools such as GoodCorporation’s Data Protection Framework can be used to assist with this. But this is more than just a compliance issue. Good data protection is set to become a real indicator of how an organisation conducts its business. In July 2018, according to research by the ICO, only one in three UK consumers had high trust in companies and organisations storing their data. Those organisations that are trusted to handle data could be set to gain a genuine advantage.