The Information Commissioner’s Office has powers to fine and impose restrictions on the data processing activities of organisations in the event of data breaches. Serious breaches can now see organisation’s fined up to 20 million Euros or 4% of group worldwide turnover. In this guide, we discuss how the ICO pursue and act on data infringements in the UK.
On 25 May 2018 the Information Commissioner’s Office (ICO) was given increased powers to pursue and fine data protection infringements.
The Data Protection Act 2018, which in turn implements the EU’s General Data Protection Regulation (GDPR), was rolled out, superseding the Data Protection Act 1998. This brought about wholesale changes to the law, changing the way businesses in the UK control, process and manage personal data.
The ICO is the Supervisory Authority that enforces data protection legislation in the UK, with the DPA 2018 setting out parts to cover their duties, functions, powers and enforcement provisions. This is important because it means the ICO dictates any fines imposed on organisations operating within the UK.
The biggest change you need to know going from the DPA 1998 to the DPA 2018 is that the ICO now has powers of enforcement over the data controller and data processor. Under previous legislation, they only had powers over the controller.
The fines for data infringement are significant, and make no mistake, the ICO do pursue infringements with vigour. They have the legal obligation to do so. There are two levels of fine under the GDPR, which we will cover below.
Higher level fine
Under the GDPR, the ICO can issue a fine up to 20 million Euros or 4% of group worldwide turnover (whichever is highest). The fine can be issued against the data controller and data processor if it believes responsibility lies with both.
Here’s a list of some of the breaches that will attract fines on the higher limit:
· Infringement related to obtaining consent and lawful processing
· Infringement related to the individual rights of data subjects
· Infringement related to transfers of personal data
· Infringement related to not cooperating with a subject access request
· Infringement related to the accountability principle of GDPR.
This fine level is covered by Article 83(4) of the General Data Protection Regulation.
Lower level fine
There is also a fine of 10 million Euros or 2% of group worldwide turnover for lesser instances of infringement. They are only considered “lesser” because they do not directly infringe on the rights of the subject.
Here’s a list of some of the breaches that will attract fines up to this level:
· Failure to integrate data protection “by design and default”
· Failure to report breaches
· Failure to comply with an ICO investigation
· Failure to carry out Data Protection Impact Assessments
· Failure to appoint a Data Protection Officer if required to do so
· Failure to only process data on the controller’s instructions
This fine level is covered by Article 83(5) of the General Data Protection Regulation.
How the ICO pursue infringement
The ICO relies on others to inform them of personal data infringement. Members of the public can report and employees can whistleblow. Companies and organisations that control or process data are required by law to report a breach in some cases.
When they receive information relating to a breach, the ICO will launch an internal investigation through which the data protection policy of the controller, processor or both will be scrutinised, and the processes of that policy reviewed.
When they receive a personal data complaint from a member of the public, the ICO will investigate this, give the organisation advice and ask it to solve the problem. Where there is an opportunity to solve an issue without formal notice, the ICO will take it.
When a data breach occurs, the fine must be proportionate to the offence and where relevant, multiple infringements from one organisation are treated as one case so the total fine does not exceed the maximum fine of 20 million Euros or 4% of group worldwide turnover. The ICO can also take “No Action” if no infringement is found after an investigation.
If low level infringement is found, the ICO may give the organisation the opportunity to change their processing activity to reflect the demands of the GDPR. The ICO will carry out spot checks in the future to ensure remediation measures are in place. History suggests a fine may still be imposed, however.
The ICO’s investigative process is confidential, so we don’t know the inner workings specifically. What we do know is every complaint and data breach report is recorded and investigated.
With regards to data breaches, the ICO defines this as “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”
How the level of fine is determined
When deciding to impose a fine or the level of fine, the ICO works on a case-by-case basis so there’s no bias in the decision process.
The level of fine is determined by several factors, the first one being the type of infringement, with Article 83 of the GDPR clearly listing the types of infringement that fall under the remit of the higher or lower level fine limit (we briefly covered these above). This determines the maximum fine that can be imposed.
Of course, the maximum fine is just that, a maximum, and the ICO only issued the maximum £500,000 under the Data Protection Act 1998 on a couple of occasions.
The joint-highest fine imposed by the ICO is £500,000, shared by Equifax who were fined in September 2018 for failing to protect the personal data of 15 million UK citizens, and Facebook, who were fined the same amount October 2018 for illegally sharing the personal information of 87 million users.
These fines would have been significantly higher if served under the Data Protection Act, 2018, however due to these breaches occurring pre-GDPR, they were investigated and fined under the Data Protection Act, 1998.
When determining the level of fine, the ICO will consider these variables:
· The nature of the infringement, the scope of the infringement and the number of data subjects affected by the infringement
· The character of the infringement, i.e. whether the organisation was neglectful or ignorant of their data protection obligations
· The actions taken by the processor or controller to mitigate the damage suffered by the infringement
· Previous infringements by the processor or controller, for example previous complaints issued by members of the public or warnings
· How the infringement became known to the ICO, such as whether the organisation made the ICO aware or if someone had to blow the whistle
· Any financial losses or gains that occurred directly or indirectly as a result of the infringement to the organisation
This is a non-exhaustive list of the variables, but as you can see they are expansive, and no two cases are ever the same. Whatever the case, the Information Commissioner’s Office investigation will be thorough if they believe the rights and freedoms of the individuals has been compromised or put at risk. If you’re interested, you can see the ICO’s latest enforcement action here.