The UK adopted GDPR legislation as law in 2018. How effective has it been?
Although Brexit has come and gone GDPR is still in force in the UK. Substantial fines can be imposed for allowing unauthorised access to personal data. The UK Information Commissioner’s Office (ICO) publishes details of actions taken under the GDPR and other data privacy laws . These details give an overview of the impact of GDPR in the UK.
The BBC revealed the top GDPR UK fine up to 2021 was for £20 million to British Airways in 2020. This incident began in June 2018 and involved British Airways users being re-directed to a fraudulent site. Personal and credit card details were harvested including the 3 digit CCV code from the back of credit cards. British Airways admitted responsibility but states they were ‘surprised and disappointed’ by the fine.
The second largest fine was for £18.4 million to Marriott Hotels. This was for a loss of customer details following a cyber attack; including credit card information and passport details. The breach dated from 2014 but was not discovered until 2018.
Both of the top grossing incidents were a result of lax security on the part of the data holder. The cases recorded for the first 5 months of 2021 all relate to deliberate disclosures of personal information. Between June 2018 and May 2019 American Express sent marketing messages to its customers who had not provided adequate consent. In May 2021 they were fined £72,000. Of the 17 other fines awarded up to May 2021 all but one were related to direct marketing and unsolicited calls or emails. The remaining offence concerned a motor industry employee selling personal data to an accident claims firm. The individuals on both sides of the sale were jailed, fined and required to repay the sums they had dishonestly earned.
In 2020 22 cases were reported with monetary penalties or enforcement notices, including British Airways and Marriot. All but 7 related to some form of deliberate unsolicited marketing. Of the remaining 5: Ticketmaster £1.25 Million, Experian (no fine but forced to change how it deals with customer’s data), Decision Technologies Ltd £90,000, Cathay Pacific £500,000 and DSG Retail £500,000.
DSG are better known as Dixons and Currys PC World. Personal data was compromised following a cyber attack on the company’s POS till system. DSG were seen as guilty because their poor security procedures allowed the cyber attack to take place and personal details to be harvested.
The above figures relate to prosecutions where data protection laws have been broken. They do not include cases where the data protection fee has not been paid. This fee varies from £40 to £2,900 and incurs a fine if the organisation is not exempt and the fee has not been paid.
The total number of prosecutions recorded has been extremely small although the potential penalties are high. A clear majority of cases relate to companies that have deliberately misused or illegally profited from personal data. Ignorance or lack of preparation is not however an excuse.
Although actual data losses may be from cyber attacks it is the original data holder or processor who is held to blame as they have not taken adequate precautions to protect the personal data that they are responsible for.
At first glance the figures model a reverse lottery. There is very little chance of being fined but if you are that fine could be ‘eye-wateringly’ large. They do not take into account the improvement in the data protection landscape that GDPR has put into place. With organisations required to follow steps to protect personal data then the opportunities for data loss are reduced. There is also improved protection against deliberate misuse of data, such as unsolicited messaging because clear penalties are in place to govern personal data use. Organisations should not see GDPR as a threat to their business but as a protection against cyber attacks and a safeguard of the personal data they process. If that is the carrot of GDPR the stick is that a data breach can lead to a punitive GDPR fins on top of the financial losses related to the breach itself.
Kindus can help your organisation take up the carrot and avoid the stick of GDPR.