Are you fed up with vendor scare-mongering about the challenge of complying with the General Data Protection Regulation (GDPR) and the huge fines heading your way? UK-based organisations may be better off looking at the precedents set by the Information Commissioner’s Office (ICO), the body with responsibility for enforcing data protection in the UK. How the ICO has enforced the existing Data Protection Act (DPA) may provide guidance for the future.
First, let’s get Brexit out of the way, the UK government stated its commitment to data protection in the Queen’s speech following the June 2017 General Election and stated that the GDPR will be implemented in the UK. The ICO has also confirmed this directly to Quocirca.
Under the DPA the ICO has had the power to instruct organisations to undertake certain actions to better protect personally identifiable information (PII). In serious cases, it can issue enforcement notices and, in extreme cases, monetary penalties, up to a current maximum of £500K. It also brings prosecutions against individuals that have abused PII. For example, the July 2017 case against the Royal Free London NHS Foundation Trust for mis-sharing data with Google DeepMind resulting in an undertaking, not a fine.
The ICO is open about its activities; it publishes actions taken on its web site and each case where it has taken action remains there for about 2 years. As of writing, since June 2015 the ICO has issued 87 monetary penalties, 52 undertakings and 35 enforcement notices. It has also brought 31 prosecutions. The DPA is not the only legislation considered by the ICO in taking these actions. It also enforces the 2003 Privacy and Electronic Communications Regulations (PECR), perhaps best known for the so-called Cookie Law, but also for limiting the use of spam SMS/email and nuisance phone calls.
The ICO’s monetary penalties
The average fine issued in the last two years has been £84K; 17% of the maximum. The two largest fines to date have been £400K: one under the DPA to TalkTalk Telecom for its widely publicised 2015 leak of 156,959 customer records, and one under PECR to Keurboom Communications for 99.5M nuisance calls.
Of the 87 fines, 48 were PECR related (average £95K). A further 13 were to charities for mis-use of data (average £14K). 8 were for some sort of data processing issue (average £68K) and 18 for data leaks (average £114K). A future blog post will look at the nature of these 18 data leaks.
The ICO also maintains and publishes a spreadsheet of data security incident trends, which lists all the UK data leaks it has become aware of; these number 3,902 since June 2015. So, the 18 fines issued for data leaks represent less than 0.5% of all cases the ICO could have considered.
The ICO is too resource-stretched to pursue every data leak. As you would expect, it prioritises the worst incidents. Even then, it is reticent to fine and has rarely come near to imposing the maximum fine. The ICO’s job is to protect UK citizens’ data, not to bring down UK businesses. Sure, the ICO will have broader powers, and the possibility to impose higher penalties, under GDPR. However, if the ICO chooses to use these new powers with the same discretion as it has under the DPA, any data manager that has ensured their organisation is paying due diligence to way it handles PII, should not be losing too much sleep.
Quocirca presented these data and some other findings from its ICO research at a recent webinar sponsored by RiskIQ which can viewed HERE.