A blog on behalf of Legal Futures Associate CILEx Regulation by Keith Dewey, DataGRC’s lead data privacy and security consultant
We’re still waiting to see what GDPR fines will look like. The Information Commissioner’s Office (ICO) continues to fine approximately three organisations a month under older Data Protection Act 1998 and Privacy and Electronic Communications Regulations legislation.
Both have a £500,000 upper limit. Equifax was the first company, ever, to get the full £500K whack in September 2018.
An ICO/Financial Conduct Authority (FCA) investigation found failure with five of the eight data principles. Personal data of 15 million UK citizens was stolen from this colossal credit bureau’s US systems.
It is interesting to compare this against Tesco Bank’s FCA fine in October, which amounted to £16.4m (3,300% higher), after its payment-card processes were compromised and £2.3m was directly stolen.
Building upon fines, and potentially even more costly, we are seeing an increasing number of law firms positioning themselves to bring group actions against such businesses that fail to protect the human right to privacy.
For example, Hayes Connor Solicitors has proposed, on a ‘no-win, no-fee’ basis, up to £5,000 per victim affected by the recent British Airways website hack. Some 380,000 people are said to have had their payment-card details compromised, suggesting a maximum bill of nearly £2bn; however, figures closer to £500m also have been floated.
This cost would be in addition to any GDPR fines, which could be a similar value if appropriate controls cannot be demonstrated, plus the costs of remediation, operational management, lost business, etc. We wait to see how damages will be calculated. Move over payment protection insurance!
The European Parliament voted on 5 July to suspend the EU-US Privacy Shield – this is one of the most commonly used safeguards when sharing personal data with the United States. However, this was a non-binding recommendation and has so far resulted in very little change.
At the same time, Brexit shenanigans suggest that the UK’s data protection legislation may no longer be deemed adequate for the EU, even though GDPR is referenced to excess within the UK’s new legislation.
Companies’ responses to both complications have ranged from “let’s wait” and establishing model clause contracts, to physically relocating businesses.
Either way, these political wranglings must be proving costly for businesses, while the underlying processes and risks remain the same.
Data subject requests
Most companies have seen an increase in the number of requests being made, some considerably so. The more challenging requests were often driven by pending legal action from disgruntled ex-employees or from upset customers.
In the latter case, resolving the underlying issue has proved more cost effective in many cases, with some customers subsequently agreeing that they didn’t really want a data request in the first place.
The benefit of ensuring that certain internal discussions are held under legal privilege is also becoming more prevalent, both in terms of dealing with the harder data subject requests and when handling security events.
The ICO doled out a £120,000 fine to Heathrow Airport Ltd in October for inadequate data security controls. It also highlighted that only 2% of the company’s staff had been trained in data protection. We suspect this didn’t help to reduce the fine.
As the Q2 excitement around consent and privacy notices dies down, demonstrable accountability remains an area that many companies are still working on.
This includes training staff, appropriately documenting and assessing processes, maintaining appropriate controls, signing adequate third-party agreements and formalising governance mechanisms. Many companies are finding that they need more than just spreadsheets to achieve a position they are comfortable with.
If there is a window for non-compliance with the law, beyond the two years already provided by the legal system, that window is certainly continuing to close.
The ICO continues to indicate that it will take a measured approach, and that companies which can demonstrate they have tried to do the right thing will come off better when things go wrong.
We wait to see what level of risk appetite is deemed appropriate when the GDPR enforcement actions commence.