igor - Fotolia
GDPR one year in
Until recently, no one assumed the ICO would issue large fines for GDPR non-compliance. But that has all changed now that it plans to fine BA
Earlier this month, news broke that the UK Information Commissioner’s Office (ICO) was planning to fine British Airways (BA) £183m for a leak of personal data. The airline plans to appeal.
If the ICO prevails, this will be the largest fine it has ever issued for the mishandling of personal data – a whopping 366 times the previous record. The reason for this is simple: it will be the first such fine issued under the updated May 2018 Data Protection Act (DPA), which replaced the previous 1998 act and embedded the EU’s General Data Protection Regulation (GDPR) into UK law.
Despite all the hype around GDPR coming into force across the European Union (EU) on 25 May 2018, there was always going to be a delay before it started to be enforced, for two reasons. First, when an investigation starts, it is nearly always looking at a historic discovery of data mismanagement, often years before, so in the UK, the DPA 1998 would have applied at the time of the offence, even if it had only recently come to the ICO’s attention. Second, the average time taken from the start of an investigation to an ICO enforcement is more than 12 months, which means many current investigations would have started before GDPR came into force.
Enforcing data law
The ICO takes one of four enforcement actions on discovering a breach of the DPA. Of the 124 cases listed on the ICO’s website between 27 June 2017 and 25 June 2019 (cases are removed from the website after two years), there are 29 enforcement notices requiring an organisation to stop processing data in a certain way, 12 prosecutions of individuals, 11 undertakings for an organisation to modify its behaviour and 72 monetary penalties. About 60% of the fines issued during this period relate to the 2003 Privacy in Electronic Communications Regulations (PECR), which controls the use of marketing emails, SMS and phone calls, rather than data mishandling.
Nearly all listings provided by the ICO relate to a single organisation and/or a data processor it has worked with. However, three quite recent listings relate to over 100 fines issued in November 2018, which were also under the DPA 2018, not for mishandling personal data, but for failure to pay the data protection fee. The maximum fine for this is £4,350, but 90% were for just £400. Another 900 or so notices of an intention to issue such fines have also been issued. The data processing fee ranges from £35 to £2,900 and is used to fund the work of the UK ICO, the proceeds from fines going to the Treasury’s Consolidated Fund.
Ramping up the fines
The ICO now employs 670 staff, having grown over the past few years to meet wider data protection responsibilities that come with GDPR. However, thus far, more staff has not led to more fines for mishandling personal data, the ICO having issued 34, 54 and 42 fines in 2016, 2017 and 2018 respectively. In the first six months of 2019 there have been just 13. However, too much should not be read into these numbers because the ICO has campaigns. For example, in early 2017 it had a big clampdown on charities for mis-sharing data, issuing 11 comparatively small fines. If you add in the non-registration fines to the 2018 figures, the picture changes dramatically.
The maximum fine available to the Information Commissioner’s Office under the DPA 1998 was £500,000. However, the average fine issued during the past two years was £116,000 (excluding those relating to PECR and the to-be-appealed BA judgment). Up until September 2018, the highest fine issued for data mishandling had been £400,000, and then only on three occasions: TalkTalk Telecom Group for a 2016 theft of 157,000 customer records; Carphone Warehouse for risking of exposure of personal data during a cyber attack; and Bounty for the unlawful sharing of some 35 million personal data records.
In September 2018, the ICO issued the maximum fine for the first time to Equifax after it was hacked and the personal information of up to 15 million UK citizens was exposed, and again in October 2018, when Facebook was found to be exposing too much data to third-party apps via its application programming interfaces (APIs).
So, to date, the ICO has been reticent to use the most serious fines. It looks like such constraint is set to disappear as news of the ICO’s plans to issue its first fine under the new laws breaks. Under the DPA 2018, the maximum fine is £17m or 4% of annual global turnover, whichever is greater. The BA judgment will show how far the ICO intends to go with its new powers.
Greater focus on data privacy
Although the number of fines issued by the ICO has not increased much since the DPA 2018 came into force, the publicity around GDPR has changed the conversation between suppliers of IT products and services and their customers and prospects, as both data privacy and security have risen up the agenda. Almost any supplier in any area of IT has something to say about GDPR, as the following selection from across the industry testifies.
In some cases, the impact of GDPR is obvious and direct. Egress, a UK-based supplier of email encryption software, which also helps prevent users accidentally sending out confidential data, says it saw a significant increase in business in the first half of 2018 compared with the same period of 2017, as data privacy rose up the agenda. Another security supplier, Fortinet, with a background in application firewalls, says it has seen more focus, and therefore investment, on data privacy, while existing technology is relied on for data protection
Read more about data regulations and fines
Hotel group Marriott International is the second major company to be fined by the UK privacy watchdog for infringements of the GDPR.
We talk to Mathieu Gorge, CEO of Vigitrust, about the BA and Marriott GDPR fines and what organisations can do to ensure they achieve compliance with GDPR and similar regulations.
While the liability for the mishandling of personal data lies with data controllers, when procuring services they expect suppliers to provide back-to-back guarantees relating to data protection, often requesting more robust contractual terms than in the past.
Iland, a provider of cloud-based infrastructure and disaster recovery services, says about 60% of its customers and prospects based in or trading in the EU now request GDPR-specific information and guarantees. To this end, it has ensured compliance with UK BSI standard BS 10012 which aims to bring the management of personal data in line with GDPR.
Keeping track of personal data
Callsign is a supplier of identity and access management software. Its Policy Manager product allows users choice in how they authenticate and interact online, for example choosing not to share biometric data and opting to use an alternative method. Callsign has seen requirements such as this appear more and more in requests for information (RFIs). However, it worries that some organisations are taking a tickbox approach to GDPR rather than making a true commitment to better privacy.
With GDPR it is not enough to just keep track of how your own organisation deals with personal data – you also need to be aware of how data is being shared with suppliers and what they are doing with it.
Suppliers such as BitSight, a provider of software to manage third-party risk, has seen an increase in focus from senior managers on controlling how data is shared in supply chains, which may link hundreds or thousands of organisations together. BitSight also collects security performance data from more than 180,000 companies globally. Since 1 May 2018, it has measured a 1.8% improvement in the performance of European organisations, while those in most other areas have slipped backwards.
The impact of GDPR has spread well beyond the EU. This is not just because, as the largest single market, other organisations want to interact with European consumers.
Because the General Data Protection Regulation is seen as a vanguard for a general uplift in global privacy standards, Ivanti, a global provider of IT management tools, now uses GDPR as a baseline for all its products and services worldwide. Ivanti believes its focus on privacy helps it retain customers and attract more prospects well beyond the EU.
As more rulings under the DPA 2018 are made by the ICO there will be more guidance as to the scale of the regulatory risk and harsh judgments, such as that delivered to BA, will likely drive more investment. Any organisations that deal primarily with data pertaining to UK citizens hoping for a Brexit get-out from GDPR should think again. The government and the ICO remain committed to GDPR via the DPA 2018, and it seems there is no mood for change. GDPR is firmly established in UK law and will soon be the primary legislation used for enforcement of data protection.
Bob Tarzey is a freelance IT analyst.