The UK’s Information Commissioner’s Office (ICO) has, for the first time, used its powers under the General Data Protection Regulation (GDPR), to fine companies which have failed to protect their customers’ data.
Two companies, British Airways (BA) and Marriott Hotels, were fined by the ICO for failing to prevent hackers from stealing their customers’ information. BA was hit with a record £183.4m fine, whilst Marriott was charged with the equally eye-watering sum of £99.2m. With these fines, the ICO appears to be making it clear that breaches of data protection law will be taken seriously, and the size of the fines issued will reflect this.
These actions would also appear to be part of a more general trend - one that was starting to emerge even before GDPR came into effect - of an increase in the number and amount of fines being issued, with the ICO twice imposing the maximum monetary penalty possible under GDPR’s predecessor, the Data Protection Act 1998.
General trend in data protection – an increase in fines
And it’s a trend that is not just evident at the ICO in the UK. An increase in the penalties that can be handed down by data protection authorities is a trend that is being seen across the board, and around the world.
This is thanks, in part, to the introduction of GDPR, which raised the stakes for data protection around the world. Subsequently, at least ten other countries, including Argentina, Australia and Brazil introduced legislation increasing the penalties organisations face for failing to protect customer data, ranging from hefty fines to imprisonment. Brazil and Australia, for example, have penalties of more than $1,000,000 per violation, while Mexico, Indonesia and the Philippines can impose fines of between $100,000 and $1,000,000.
In the US, consumer protection agency the Federal Trade Commission (FTC) recently levied a record fine of $5bn on Facebook for its role in the Cambridge Analytica scandal. This is the largest fine imposed by the FTC against a technology company, and the largest ever against any company for a privacy violation.
And, of course, earlier this year, the French data regulator Commission Nationale de l’Informatique et des Libertés issued a €50m fine (£44m) to Google under GDPR for not sufficiently informing the public of how they collected data to personalise advertising.
Why are GDPR regulatory fines increasing?
While the penalties may vary from country to country, the increase in fines is delivering a clear message: data protection is becoming a greater focus around the world and, because of this, the penalties for non-compliance have become more serious.
The UK’s ICO, which was in the past viewed as understaffed and underpowered, has seen its average staff numbers increase by a third - from 480 to 638 year-on-year, in line with its increased powers under GDPR - and its role is now viewed as utterly critical in the digital age. As head of the organisation, Information Commissioner Elizabeth Denham, has said the introduction of GDPR “…saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected.”
Ultimately, there is a distinct and identifiable trend among data protection regulators, including those from a variety of countries and subject to various different laws, of imposing better control over data usage - and they are doing it through the power of increased penalties.
What this regulatory landscape means for your business
Given the trend for increasing fines, we expect to see much greater and more high-profile penalties being imposed as the ICO, and other data protection authorities around the world, flex their muscles thanks to the powers awarded under GDPR, or the GDPR-inspired rules in their country.
And it’s not just larger, international companies that are at risk of being penalised. SME businesses which fail to comply with GDPR, or the relevant data protection authority, run an equal risk of being hit with a large fine – up to a maximum of €20m or 4% of annual turnover, whichever is bigger. The size of the fine is determined by a range of factors including:
- Type of personal data
- How many people were affected
- How much damage was suffered
- How long the infringement lasted
- How the ICO found a out about the infringement
Companies may therefore want to double-check their compliance plans:
- Check existing policies and procedures - It might be worth looking at whether your existing procedures and policies need updating as a result of new guidance or changes, particularly that on transparency and consent from the European Data Protection Board. It may be worth considering if your current policies and procedures need extending to ensure that your organisation is committed to ensuring data protection is an ongoing responsibility.
- Refresher GDPR training - You might want to undertake annual GDPR refresher training, particularly for those staff that regularly handle personal data, such as the sales and marketing, and IT and HR teams.
- Review your customer and supplier relationships - You may also want to consider reviewing your contracts with customers and suppliers, to ensure they comply with the GDPR’s requirements.
- Carrying out Privacy Impact Assessments - You should check that you have a strong framework for carrying out Privacy Impact Assessments and make sure you understand the situations in which you are required to carry one out.
- What to do if there’s a security breach - have you checked whether your staff know what to do if there is a security breach? If the worst should happen and a breach occurs, do you have a plan in place to help alleviate the serious reputational and financial consequences that can happen with such a breach. A Data Breach Policy, with guidance and training offered on handling such a crisis, may be a good idea.
If you’d like to discuss any of the information that appears in this blog, please contact a member of our Commercial and IT Team.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.