Due to the timing of data incidents and the related ICO investigation, many monetary penalties in 2019 were issued under the previous legislation, the Data Protection Act 1998, and not under the GDPR. The maximum financial penalty under the former law is £500,000. And the ICO has shown itself willing to issue the maximum fines; for example, in January 2020, fining DSG Retail Limited (the brands Currys, PC World, Dixons Travel) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Earlier, in December 2019, the ICO fined a London-based pharmacy £275,000 for failing to ensure the security of special category data. Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware.
However, mega fines under the GDPR are beginning to come through. The outcome of the ICO’s statement of intention to fine Marriott International Inc £99,200,396 for a cyber incident affecting approximately 339 million guest records globally, is still awaited. As is the outcome of its statement of intention to fine British Airways (BA) £183.39 million for a cyber incident which affected approximately 500,000 BA customers. According to reports, the deadline by which to reply to the notices of intention has been extended to 31 March 2020 for both companies.
We expect to see more eye watering regulatory action of this kind in 2020.
Meanwhile, an important point of housekeeping; companies should ensure that they register with the ICO and pay their data protection fee (unless exempt) as the ICO has launched a campaign to contact organisations to remind them about payment of the fee. The ICO issued 340 monetary penalty notices for non-payment of the data protection fee between 1 July and 30 September 2019.