At the time of its one-year anniversary, there had been no fines under the General Data Protection Regulation (GDPR) in the United Kingdom, but they are coming, according to the Information Commissioner’s Office (ICO), and they are likely to eclipse any fines handed out under prior regulations.
”The first fines under the General Data Protection Regulation are due to be issued soon, once the necessary legal processes have been completed,” an ICO spokesperson told Compliance Week. “The introduction of GDPR was not a deadline but the start of an ongoing process, and there is a lot more work to be done.”
Some of the largest data breaches over the past 12 months include those at British Airways, Ticketmaster, and Facebook. These companies may be among the first to receive a penalty from the United Kingdom under the new regulations.
According to Erik Luysterborg, a partner in Deloitte’s risk advisory group, this delay was expected.
“Both the ICO and the other regulators in Europe have been in a transition year,” he said. “They all said to me that they had to get to grips with the new authorizations they had, and the new ammunition, and to understand how to do what the GDPR tells them they can do. That’s the reason for the delay in reaching a point where fines can be imposed.”
None of the ICO’s enforcements are prosecutions, as such. Instead, most of its monetary penalties against organizations, for example, for data breaches, are imposed under its civil enforcement powers.
“That said,” added the spokesman, “we will not hesitate to act in the public’s best interests when organizations willfully or negligently break the law. The enforcement action we have planned during the coming months will demonstrate that.”
Balavernie Sritharan, technical director at Deloitte’s GDPR business, believes that while the amount of the fines is likely to increase, “it doesn’t mean that the number of cases that might receive a large fine is likely to rise.”
Luysterborg added: “What I’ve heard from authorities is that they are taking this very seriously, it’s true that they want to go for compliance rather than fines, but the reality will be somewhere in the middle.”
Luysterborg also noted the large increase in the number of complaints and that these have risen more than data breach reports. “I do think there will be more fines soon,” he said, “but it will be a mixed bag in terms of the amounts. For example, the Dutch authority is trying to come up with a matrix defining the different severities of breaches so that they can calculate what fine to hand out.”
In a recent blog post, ICO Commissioner Elizabeth Denham said her office has “a range of enforcement and sanctioning powers, from light to severe – from letters warning against intended processing of data to monetary penalties of up to 4 percent of global turnover for the most serious and harmful contraventions.”
The ICO has also “issued organizations with warnings and reprimands across a range of sectors including health, central government, criminal justice, education, retail and finance.”
“The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.”
Elizabeth Denham, ICO Commissioner
Sritharan noted that investigations are not typically announced unless there is significant public interest.
“Companies may be named in an undertaking,” she said, “announcing that the company or organization has been given time to remediate once non-compliance has been identified, and then provide assurance that the remediation has taken place.”
In line with this practice, the ICO has issued 11 information notices in the past 12 months that allowed it to further its investigations. For example, it served an enforcement notice to AggregateIQ, a Canadian company that supplied software to Cambridge Analytica. This was the first formal information action under the GDPR and the U.K. Data Protection Act 2018 that mirrors the EU regulation in Britain. The notice warned that if AggregateIQ “failed to cease its processing of personal data of U.K. or EU citizens for the purposes of data analytics, political campaigning or advertising,” it could face a fine of up to €20 million (U.S. $22.4 million) or 4 percent of its total annual turnover.
“Typically, the authorities will explain why a heavy fine or a light fine has been imposed or a heavy sanction or a light sanction,” clarified Luysterborg. “The regulators also have an arsenal of other actions they can take, like sanctions, which are often used. Fines are typically only used where a company is clearly not responding or the non-compliance issue is of major significance.”
The ICO closed more than 12,000 cases during the past year, though only around 17.5 percent required action and less than 0.5 percent led to either an improvement plan or civil monetary penalty from the old regulations. “While this means that over 82 percent of cases required no action from the organisation,” said Denham in her blog, “it demonstrates that businesses are taking the requirements of the GDPR seriously and it is encouraging that these are being proactively and systematically reported to us.”
Awareness of rights under the GDPR has had several consequences, however.
“While the number of data breach reports has doubled,” said Luysterborg, “the number of complaints received from individuals increased 50 percent more than that. Some of the issues that are out there, that can’t be defined as a data breach in terms of GDPR, are still a breach of the regulations. Data breaches are more easily fixable, but individual complaints are about how people are treating the data, which is a governance issue and a process issue and more difficult to remedy. As such they are likely to receive higher fines.”
Denham stressed in her blog that the responsibility for compliance lies with organizations and noted that the ICO “will act swiftly and effectively.” It will also be taking “robust action” using the intelligence it has gained from more than 40,000 data protection complaints since the GDPR and over 14,000 personal data breaches reported to it, as well as intelligence from other regulators and investigations it has instigated. She also noted that the organization’s workforce will double by 2020, though not all of this increase will be due to the surge in complaints and breaches; some may be due to Brexit and the fact that the United Kingdom will not be able to rely on help from the European Union.
But the ICO is not only about enforcement and penalties. At its annual Data Protection Practitioners’ Conference in April, it presented an award to Mikko Niva of Vodafone for delivering “a pioneering privacy compliance programme for Vodafone—not just in the U.K., but across 21 different countries.”
The ICO spokesman noted that the office wants organizations “to focus on how data protection law can help them to get it right and enhance their reputations by earning people’s trust and confidence, rather than how they might be punished if they get it wrong.”
Most of the largest fines handed out by the ICO during 2018 have been for breaches of the Data Protection Act 1998, which had a maximum limit for fines of £500,000 (U.S. $630,000). Of these, one of the largest so far was Facebook’s £500,000 in October for its role in the Cambridge Analytica scandal. The figure could have been far higher if the breaches had not occurred before the GDPR came into force. At the time of the fine, Denham said: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR.”
Equifax also received the maximum fine in September last year for failing to protect the personal information of up to 15 million U.K. citizens affected by a 2017 cyber-attack on it. Also in September, Your Money Rights was given a £350,000 (U.S. $441,000) fine after making a record 146 million illegal calls. In November, Uber was fined £385,000 (U.S. $485,100) after the company paid off hackers who stole the personal details of around 2.7 million Uber customers in the United Kingdom. The company also did not inform the victims about the incident.
Private companies aren’t the only entities to get fined for data violations over the past year. In May, The Crown Prosecution Service (CPS) received a £325,000 (U.S. $409,500) fine after the agency lost unencrypted DVDs containing recordings of police interviews with 15 victims of child sex abuse that were to be used at trial.
But it is not only those regulators given the task of implementing the GDPR that are involved in protecting data privacy. As Sritharan explains: “There are, across Europe, other regulators who play a part in privacy regulation. Financial services regulators also play a part in consumer privacy safeguarding other than the data protection regulators, and they often work very closely together.”