Since the GDPR came into force on 25 May 2018 the ICO has carried out a number of audits on organisations as well as a number of “advisory” visits. These do not necessarily lead to regulatory sanctions but sometimes they do.
Reportedly, since the GDPR came into force, there has been a 160 per cent rise in the number of complaints made to the ICO on the same period in 2017. This is a result of the build up to the GDPR which has heightened individuals’ awareness of their data rights.
In terms of fines, it is too soon after the GDPR came in for GDPR level fines to come down the line as these can take some months to be awarded after the initial complaint. Currently, the UK ICO is issuing fines under the old law where the initial complaint preceded 25 May 2018. Under the old law the maximum fine was £500k.
Under the GDPR, companies can be fined €20 million (£16.5m) or 4 per cent. of their worldwide turnover, whichever is the greater.
Examples of fines over the last month include:
September:
Equifax Ltd – maximum fine £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.
Everything DM –fined £60,000 for sending 1.42 million emails without consent. Between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients
Bupa Insurance Services Limited (Bupa) – fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.
Oaklands Assist – fined £150,000 for making thousands of nuisance direct marketing phone calls.
October:
Heathrow Airport fined £120,000 for failing to ensure that the personal data held on its network was properly secured.
Boost Finance – fined £90,000 for millions of nuisance emails about pre-paid funeral plans.
It is reported that the ICO intends to fine Facebook the maximum £500k following the investigation launched in 2017 over the use of data for political campaigns. Were the breach to have happened after 25 May 2018, the ICO would have been able to issue a fine of up to 4% of Facebook’s annual worldwide turnover (reportedly meaning a maximum fine of £479m).
How fines are assessed under GDPR
Fines are regarded as an important tool for the supervisory authorities who have said they will not shy away from issuing fines or only use fines as a last resort.
The Regulator has said that fines under the GDPR are to be “effective, proportionate and dissuasive”. Fines may be imposed in response to a wide range of infringements. Each case is to be assessed individually.
Factors to be taken into account in assessing fines are: