We are fast approaching the two year anniversary of the introduction of the EU General Data Protection Regulation (GDPR). Prior to its introduction the majority of organisations had spent considerable resource (both financial and time) in preparing.
For those, their preventative measures have paid off, by enhancing the protection offered to their customers’ data through new or more robust processes, and in some cases better use of technology.
A key motivator here was the risk of fines. The maximum fine is set at 20 million Euro’s or 4% of the annual global turnover, whichever is higher.
So, two years later, what can be learnt from the fines issued, but also the reasons why, in order to review your organisation’s processes?
Too small to be targeted
For some organisations, their preparation didn’t actually start until the 25 May 2018. One of the common sentences uttered around GDPR (and in fact cyber security) is “we’re too small to be targeted”, so stories of the largest recorded fines to date (£183m fine to British Airways and £99m to Marriot) are dismissed as scaremongering.
It’s important to remember that not every fine would make mainstream news in the way that these goliaths would.
For every high profile ‘system that’s not appropriately secured fine’ (Cathay Pacific were fined £500,000 last month!), a similar example exists in a smaller organisation.
Whilst the number of monetary penalties issued by the Information Commissioner’s Office since 2018 is relatively small, the causes are interesting. It is also worth noting that some fines issued were for breaches that predated GDPR and were fined under the previous legislation, the Data Protection Act 1998.
|2018||2019||2020 (to 1/4/20)|
Table 1- No of monetary penalties issued by the Information Commissioner’s Office since 25/5/18
Email is considered one of the most likely ways for a breach to occur due to fact it require trust in the quality of either a manual or dynamic data source. The obvious GDPR breach would be direct marketing without consent and there have been a number of direct marketing notices served.
There could also be accidental sends within marketing emails, where a query has been built incorrectly, but one interesting fine focuses on the use of non-marketing email within Outlook.
Gloucestershire Police sent a bulk email that mistakenly identified victims of non-recent child abuse. On 19 December 2016, an officer sent an update on the case to 56 recipients by email but entered their email addresses in the ‘To’ field and did not activate the ‘BCC’ function, which would have prevented their details from being shared with others.
Whilst we are living in the digital revolution, for the majority of organisations there is still a reliance on paper files, and fines were issued to two London based health organisations for mismanagement of theirs.
Doorstep Dispensaree LTD, a pharmacy, were fined £275,000 for failing to ensure the security of special category data. Around 500,000 documents were found in unsecured containers at the back of its premises.
The Bayswater Medical Centre was also fined £35,000 for leaving highly sensitive medical information (including medical records) unsecured in an empty building for more than 18 months.
Digital Asset Management
Using recorded content and media in marketing campaigns is commonplace and it is essential to ensure release documentation is kept for to demonstrate the use of that media .
London based True Visions Productions were fined £120,000 for unlawful filming in a maternity clinic. Whilst the hospital trust had authorised the filming, they hadn’t obtaining adequate permission for some filmed subjects.
Subject Access Requests
One of the main rights for an individual under GDPR law is that they can issue a ‘subject access request’ (SAR) to an organisation. A SAR allows an individual to obtain access to the records an organisation holds about them. Whilst this concept isn’t new, there is now no charge to request this information. GDPR requires you to respond to a request within 30 days, but this can be extended if it is a complex request. You must still notify the subject of the extension.
Hudson Bay Finance Ltd were issued with an enforcement notice for failing to respond to a subject access request. The case continues following communications between the company and the ICO Office. It will be interesting to see what a fine in this area would be.
Following Morrisons loss at the High Court in 2018, which ruled it was liable for a data breach initiated by a vindictive ex-employee, there have now been fines issued to individuals who have breached data from their former employees.
A Restorative Justice Caseworker, who formally worked at Victim Support, has been prosecuted for sending sensitive personal data to her own, personal email account without authorisation. They were fined £600 and received a 3 year conditional discharge.
Finally, like the Cathay Pacific, The University of Greenwich were fined £120,000 following a “serious” security breach involving the personal data of nearly 20,000 people which was stored on a single use website was and left online and not secured. It was subsequently compromised by hackers and the data, including staff sickness, and details of learning difficulties, was posted online.
Many of the examples above could have been prevented by robust processes or effective staff training. They are all applicable to organisations of any size so it’s important to constantly review business processes and policies, review your data source audit, and refresh staff training to ensure that these examples don’t become the tenet of your enforcement notice.