So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.
Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.
But are the fines in line with expectations? They certainly fall well short of the maximam possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.
It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.
What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?
For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?
So, in analysing the events of the past few days: -
Think that the GDPR and DPA don’t apply to you; they do.
Think that the ICO won’t act if you have a breach; they clearly will.
Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance; it’s not.
Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated; the Regulation requires it.
Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture; it’s a vital contributor to effective breach recognition and management
Be afraid to enlist outside help – a third pair of eyes can assist objectively and save huge amounts of valuable internal time.
That DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.
That your Privacy Statement is up to date and the internal contact details are accurate.
That your DP policies are up to date and regularly reviewed, and the reviews documented.
That your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.
That your DP team is meeting regularly, and their meetings and action plans documented.
That a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.
That your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.
That there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.
The ICOs actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?