News

GDPR anniversary to be marked with big fines

1 minute read

Published 23 May 2019

Key Contacts

  • Patrick Wheeler

    Partner - Head of IP & Data Protection

    Visit profile

Share

The first anniversary of the General Data Protection Regulation (GDPR) on 25 May is likely to marked with big fines, says data and privacy law firm Collyer Bristow.

The Information Commissioner’s Office (ICO) has to date announced just 127 enforcement notices despite there being an estimated 10,000 data breaches in the UK and 59,000 breaches across the EU since the introduction of GDPR in 2018.

Fines have been handed down by the ICO, most notably to HMRC, Vote Leave and Uber, but not to the same extent as its European counterparts – French regulators have, for example, fined Google €50m for data breaches – and to the full levels within its power.

Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “Organisations may have begun to feel complacent about their GDPR obligations, but that would be a mistake.”

“The ICO has teeth and very real powers.  Whilst the ICO’s position is that fines are a last resort in persuading businesses to comply with the GDPR it can fine organisations up to the greater of €20m or 4% of global turnover, and we are expecting it to hand down some pretty hefty fines any day soon to coincide with the first anniversary of the GDPR regulations.” 

Patrick adds: “There are good reasons for the ICO to make its presence felt now. In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC. The ICO will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply.”

And it is not just data breaches that are attracting fines. Organisations that fail to pay the annual registration fees for managing personal data are already being fined, albeit at much smaller levels.

Patrick adds: “Top end paint manufacturer Farrow and Ball have been fined £2,900 for non-payment of its registration fee. It argued in an appeal that it missed the deadline because of staff holiday, but that did not excuse its lack of a proper compliance procedure. The ICO is beginning to take a tough line.”

Collyer Bristow reminds businesses faced with a data breach of the steps they must now take:

  • Investigate to establish whether a breach has occurred and its likely impact.
  • Breaches affecting the rights and freedoms of individuals need to be addressed immediately.
  • If such a breach is confirmed it must be reported to the ICO within 72 hours.
  • Your data protection team must then take all necessary steps to stop it continuing and:
    • Establish how the breach occurred
    • Investigate the extent of the information breached
    • Determine the consequences of breach
    • Outline measures to prevent further breaches
  • Determine then whether specialist legal and crisis management advice is needed
  • Review your current data and cyber security arrangements
  • If appropriate, disclose the data breach to those affected and wider stakeholders. Full disclosure and reassurance about the corrective steps being taken is often the best policy.
  • And do not forget to notify ICO within 72 hours.

Patrick Wheeler is available for interview.  He can be reached by email: Patrick.wheeler@collyerbristow.com .

Message us on WhatsApp

Related latest news PREV NEXT

Arrow Back to News

News

GDPR anniversary to be marked with big fines

Published 23 May 2019

Key Contacts

The first anniversary of the General Data Protection Regulation (GDPR) on 25 May is likely to marked with big fines, says data and privacy law firm Collyer Bristow.

The Information Commissioner’s Office (ICO) has to date announced just 127 enforcement notices despite there being an estimated 10,000 data breaches in the UK and 59,000 breaches across the EU since the introduction of GDPR in 2018.

Fines have been handed down by the ICO, most notably to HMRC, Vote Leave and Uber, but not to the same extent as its European counterparts – French regulators have, for example, fined Google €50m for data breaches – and to the full levels within its power.

Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “Organisations may have begun to feel complacent about their GDPR obligations, but that would be a mistake.”

“The ICO has teeth and very real powers.  Whilst the ICO’s position is that fines are a last resort in persuading businesses to comply with the GDPR it can fine organisations up to the greater of €20m or 4% of global turnover, and we are expecting it to hand down some pretty hefty fines any day soon to coincide with the first anniversary of the GDPR regulations.” 

Patrick adds: “There are good reasons for the ICO to make its presence felt now. In the last 12 months we have seen major data breaches from, to name just a few, British Airways, Ticketmaster, Facebook and HMRC. The ICO will want to show that it takes its responsibilities seriously, that it has teeth, and that it wants businesses to work hard to comply.”

And it is not just data breaches that are attracting fines. Organisations that fail to pay the annual registration fees for managing personal data are already being fined, albeit at much smaller levels.

Patrick adds: “Top end paint manufacturer Farrow and Ball have been fined £2,900 for non-payment of its registration fee. It argued in an appeal that it missed the deadline because of staff holiday, but that did not excuse its lack of a proper compliance procedure. The ICO is beginning to take a tough line.”

Collyer Bristow reminds businesses faced with a data breach of the steps they must now take:

  • Investigate to establish whether a breach has occurred and its likely impact.
  • Breaches affecting the rights and freedoms of individuals need to be addressed immediately.
  • If such a breach is confirmed it must be reported to the ICO within 72 hours.
  • Your data protection team must then take all necessary steps to stop it continuing and:
    • Establish how the breach occurred
    • Investigate the extent of the information breached
    • Determine the consequences of breach
    • Outline measures to prevent further breaches
  • Determine then whether specialist legal and crisis management advice is needed
  • Review your current data and cyber security arrangements
  • If appropriate, disclose the data breach to those affected and wider stakeholders. Full disclosure and reassurance about the corrective steps being taken is often the best policy.
  • And do not forget to notify ICO within 72 hours.

Patrick Wheeler is available for interview.  He can be reached by email: Patrick.wheeler@collyerbristow.com .

Key Contacts

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.