Since the GDPR came into force on 25 May 2018 the ICO has carried out a number of audits on organisations as well as a number of “advisory” visits. These do not necessarily lead to regulatory sanctions but sometimes they do.
Reportedly, since the GDPR came into force, there has been a 160 per cent rise in the number of complaints made to the ICO on the same period in 2017. This is a result of the build up to the GDPR which has heightened individuals’ awareness of their data rights.
In terms of fines, it is too soon after the GDPR came in for GDPR level fines to come down the line as these can take some months to be awarded after the initial complaint. Currently, the UK ICO is issuing fines under the old law where the initial complaint preceded 25 May 2018. Under the old law the maximum fine was £500k.
Under the GDPR, companies can be fined €20 million (£16.5m) or 4 per cent. of their worldwide turnover, whichever is the greater.
Examples of fines over the last month include:
Equifax Ltd – maximum fine £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.
Everything DM –fined £60,000 for sending 1.42 million emails without consent. Between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients
Bupa Insurance Services Limited (Bupa) – fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.
Oaklands Assist – fined £150,000 for making thousands of nuisance direct marketing phone calls.
Heathrow Airport fined £120,000 for failing to ensure that the personal data held on its network was properly secured.
Boost Finance – fined £90,000 for millions of nuisance emails about pre-paid funeral plans.
It is reported that the ICO intends to fine Facebook the maximum £500k following the investigation launched in 2017 over the use of data for political campaigns. Were the breach to have happened after 25 May 2018, the ICO would have been able to issue a fine of up to 4% of Facebook’s annual worldwide turnover (reportedly meaning a maximum fine of £479m).
How fines are assessed under GDPR
Fines are regarded as an important tool for the supervisory authorities who have said they will not shy away from issuing fines or only use fines as a last resort.
The Regulator has said that fines under the GDPR are to be “effective, proportionate and dissuasive”. Fines may be imposed in response to a wide range of infringements. Each case is to be assessed individually.
Factors to be taken into account in assessing fines are:
- the nature, gravity and duration of the infringement;
- the number of data subjects involved;
- the categories of the personal data affected (e.g. special categories, directly identifiable data, data whose dissemination would cause damage/distress to the individual);
- is it is an isolated event or symptomatic of a more systemic breach or lack of adequate routines in place;
- if data subjects have suffered damage, and the level of the damage;
- action taken to mitigate the damage suffered by data subjects;
- the intentional or negligent character of the infringement, and the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented;
- any relevant previous infringements by the controller or processor;
- the degree of cooperation with the supervisory authority;
- whether, and if so to what extent, the controller or processor notified the infringement;
- any other aggravating or mitigating factor applicable to the circumstances, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.