With the headlines this autumn continuing to be dominated by the ongoing coronavirus pandemic, you may have missed some significant developments in the world of data protection.
In October alone, the Information Commissioner’s Office (ICO) issued its first two significant GDPR fines and took enforcement action against one of the UK’s biggest credit reference agencies. Is the regulator finally showing its teeth?
When data protection law was comprehensively updated in 2018, one of the key changes was a major upgrade to the powers of the ICO. The maximum fine the regulator could impose for serious breaches was increased from £500,000 to the greater of €20 million or 4% of an organisation’s worldwide turnover.
The ICO was also given sweeping powers to order companies to take action to bring their processing into line with the legislation. This led to all sorts of alarmist stories about how the biggest companies could face billion-pound fines should they get things wrong, and how even the smallest infringements could lead to crippling financial penalties.
In fact, the ICO initially adopted a very cautious approach to regulating the new laws. Until last month, the ICO had only issued one fine since the GDPR came into effect in May 2018.
A London pharmacy was fined £275,000, well below the old maximum, for the distinctly low tech reason of leaving hard copy documents containing personal data in unlocked containers. But in the summer of 2019, the ICO took on two very high profile cases, announcing that it would be issuing huge fines against British Airways and the hotel chain Marriott International, of £183m and £99m respectively.
Both cases shared some similarities in that they involved security vulnerabilities which allowed unauthorised access to personal data relating to large numbers of customers. The potential fines were by far the largest anywhere in Europe under the GDPR.
Although you would have been forgiven for missing this in the press coverage at the time, the ICO announcements about BA and Marriott were not actually fines, but instead were notices of intent. Under the UK’s data protection law, the ICO must issue a notice of intent prior to any fine, to allow organisations to make any final representations in their defence. It was clear that both BA and Marriott were making such representations.
By March 2020, there was still no final decision on the fines. And then the covid pandemic hit, which had a huge impact on the aviation and hospitality sectors.
Finally, in October, the ICO announced that it was fining BA £20m for security failings which led to the hacking of personal data relating to more than 400,000 customers, and Marriott £18.4m for a security failure which led to personal data relating to 339 million customers worldwide being put at risk. Still very significant amounts, but much lower than the ICO originally intended.
So what happened? Both companies appear to have fought very hard against the original notices and, under considerable pressure, the ICO chose to reconsider the levels of fines completely. In the Marriott case, the ICO chose a new starting point of £28m for the fine and then applied a reduction for mitigating factors, together with a £4m covid ‘discount’, to get to the £18.4m figure. The published decisions in these cases give us a real insight into the ICO’s approach to regulation. However, it’s important to remember that these two cases are not typical.
They both involved major companies and serious security failures leading to personal data about a very large number of individuals being compromised. The level of fines reflects the seriousness of the incidents. Nevertheless, there are lessons for businesses about preventing breaches and how to handle them, including the importance of early detection, positive engagement with the regulator and a willingness to argue your case strongly.
It remains to be seen whether either company chooses to appeal against their fine, although given the size of the original notices of intent, they seem to have achieved a good result.
The ICO showed an alternative approach to regulation on 29 October this year when it issued an enforcement notice to the credit reference agency, Experian. As well as having the power to issue fines, the ICO can issue enforcement notices requiring organisations to take action to comply with data protection law.
This particular notice followed a lengthy investigation into the data protection practices of the UK’s three biggest credit reference agencies. The ICO found evidence that all three were processing personal data of millions of people in contravention of data protection law and required them to take steps to change their practices.
All three made changes voluntarily, but the ICO concluded that Experian needed to take further steps and so issued a formal notice. Interestingly, none of the three companies was fined for these contraventions, although requiring changes to the way a company does business can clearly have a significant financial impact.
Businesses should be reassured that the action against Experian and the much-reduced fines issued to BA and Marriott mean that the ICO is maintaining its cautious approach to the regulation of data protection law. It seems large fines are only likely to be imposed in the most serious cases. However, businesses should not be complacent and continue to take appropriate steps to avoid the attention of the regulator.