- Legal Futures - https://www.legalfutures.co.uk -

ICO Guidance Review: Fines and lessons learned

Willis Towers WatsonBy Legal Futures’ Associates Willis Towers Watson [1]

On 25 May 2018 the General Data Protection Regulation (GDPR) was introduced in the UK amid widespread concerns over the significant fining powers that would now be available to the Information Commissioner’s Office (ICO).

In July 2019, the ICO announced its intention to fine British Airways and Marriot International £183 million and £99 million respectively [2].  Whilst we await full details of the investigation and the official details of the penalty notice, the ICO has published details of two smaller but significant fines against DSG Retail Limited (DSG) and Doorstep Dispensaree Ltd (Doorstep).

Although both cases were considered under pre-GDPR legislation, businesses should take note of the ICO’s approach as- due to both cases differing significantly, in terms of business size and the nature of the breaches- this provides good opportunity to review a range of lessons learned.

The breaches and fines

DSG includes the Dixons group, and in January 2020 the group was fined £500,000 after a cyber-attack, which affected potentially 14 million people [3].

Doorstep, a much smaller business, is a pharmacy that supplies medicines to care homes in London. In December 2019, they were fined £275,000 after 47 unlocked crates, two disposal bags and one cardboard box containing personal data was discovered in a courtyard [4].

The full details can be viewed on the ICO’s website.

What lessons can we learn?

What will the ICO consider?

Both findings provide indications on areas the ICO will consider when deciding which action to take.

Similarly, the data which was breached in DSG was of a type that risked leading to identity theft and fraud, and so the ICO considered the distress this was likely to cause customers. The DSG data was linked to 85 fraudulent payments at supermarkets which resulted in evidence of the data being sold on the Dark Web.

The ICO reviewed the complaints received by them and DSG, which were cited as evidence of the distressful impact on customers.

DSG contacted all customers who were possibly affected, undertook an advertising campaign, established a specific call centre, offered credit monitoring to customers and worked with their acquiring bank to mitigate potential customer exposure to financial fraud.

Whilst the actions taken by DSG may seem significant, the ICO commented that they gave these ‘limited credit’ as they considered the actions to be an ‘industry standard approach’. They also questioned the effectiveness of the credit monitoring given only 25% of customers took up this offer.

Clearly the actions taken after the identification of the breach are critical for not only assisting effected clients and the reputation of the business but are also material to the enforcement action and fine that the ICO decides upon.

Deciding on the fines

In imposing a penalty, the ICO makes it clear it is looking for a fine that is ‘effective, proportionate and dissuasive.’ In this respect the ICO does also consider the financial standing of the company as evidenced in filings at Companies House.

In the case of DSG, it also makes it abundantly clear that the fine would have been significantly higher had the breaches been considered under current legislation, instead the maximum fine of £500,000 was imposed as per the legislation in place at the time.