What will ICO take into account when considering fines under GDPR? The Regulatory Action Policy says:
– nature and seriousness of the breach
– the types of personal data and number of individuals affected
– the costs of mitigating any risk, issue or harm
– the attitude of the relevant individual or organisation concerned will also be a relevant factor
– self-reporting is encouraged and will be taken into account when enforcement action is being considered
– fining powers will only be deployed by the ICO where they are deemed to be “effective, proportionate and dissuasive”
Failure to Adequately Protect Personal Data
- Heathrow Airport Ltd – October 2018 – Fined £120,000 under old Data Protection Act 1998 for a data breach involving the loss of a USB memory stick because there had been a ‘lack of training and controls’ on the use of removable storage media.
- BUPA – October 2018 – Fined £175,000 under the old Data Protection Act 1998 for failing to use appropriate technical and organisational measures to protect personal data.
- Equifax – September 2018 – Fined £500,000 under old Data Protection Act 1998 for failing to protect personal data of 15 million UK Citizens during a 2017 cyber attack. Personal data included names, dates of birth, addresses, telephone numbers, passwords, driving licences and financial details. The fine was the maximum allowed under the old laws and would be much higher under GDPR.
Marketing
- Oaklands Assist UK – October 2018 – Fined £150,000 under the Privacy and Electronic Communications Regulations 2003 for making unsolicited marketing calls.
- Boost Finance Ltd – October 2018 – Fined £90,000 under old Data Protection Act 1998 for sending marketing emails in breach of the Privacy & Electronic Communications Regs 2003.
Unlawful Processing
- Facebook Ireland Ltd and Facebook Inc – October 2018 – Fined £500,000 under the old Data Protection Act 1998 for allowing third party apps to access users’ personal data without their consent.
Liability for Employees Conduct
- Morrison Supermarkets Plc held vicariously liable to 5,000 claimants for breach of statutory duty in a rogue employee’s vexatious disclosure of co-workers’ personal data on the internet.