23 May 2019
The first anniversary of the General Data Protection Regulation (GDPR) on 25 May is likely to marked with big fines, says data and privacy law firm Collyer Bristow.
The Information Commissioner’s Office (ICO) has to date announced just 127 enforcement notices despite there being an estimated 10,000 data breaches in the UK and 59,000 breaches across the EU since the introduction of GDPR in 2018.
Fines have been handed down by the ICO, most notably to HMRC, Vote Leave and Uber, but not to the same extent as its European counterparts – French regulators have, for example, fined Google €50m for data breaches – and to the full levels within its power.
Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “Organisations may have begun to feel complacent about their GDPR obligations, but that would be a mistake.”
“The ICO has teeth and very real powers. Whilst the ICO’s position is that fines are a last resort in persuading businesses to comply with the GDPR it can fine organisations up to the greater of €20m or 4% of global turnover, and we are expecting it to hand down some pretty hefty fines any day soon to coincide with the first anniversary of the GDPR regulations.”
Patrick adds: “There are good reasons for the ICO to make its presence felt now. In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC. The ICO will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply.”
And it is not just data breaches that are attracting fines. Organisations that fail to pay the annual registration fees for managing personal data are already being fined, albeit at much smaller levels.
Patrick adds: “Top end paint manufacturer Farrow and Ball have been fined £2,900 for non-payment of its registration fee. It argued in an appeal that it missed the deadline because of staff holiday, but that did not excuse its lack of a proper compliance procedure. The ICO is beginning to take a tough line.”
Collyer Bristow reminds businesses faced with a data breach of the steps they must now take: