In the past year, the volume of breaches reported to the Data Protection authority in the UK (the Information Commissioner’s Office (ICO)) has increased dramatically (over 6,000 complaints in the first six weeks after the implementation of the GDPR – an increase of 160% over the same period in 2017) which in turn, has led to an increased number of fines.
In Europe, the French Data Protection authority (the Commission nationale de l’informatique et des libertés (CNIL)) levied the first sizeable fine of €50 million against Google in January 2019. The CNIL judged that individuals were ‘not sufficiently informed’ about how Google collected individuals’ data to personalise the advertising. Google is currently appealing the fine.
As an international, well-known business, and this being the highest fine levied to date, it is no surprise that this is headline news. This being said, small and medium businesses, charities and local councils have all been fined by the ICO in the past year, with fines ranging from £250 to £500,000, for reasons varying from the theft of an unencrypted portable hard drive or laptop containing personal data to cyber-attacks and security breaches.
The key message is that whilst the larger businesses and higher fines are often reported in the news, fines are occurring on a regular basis and it is important that your business or organisation has the necessary measures in place to help prevent breaches and fines from occurring.
It is also pertinent to note that the majority of fines issued by the ICO in the past year relate to breaches which occurred pre-implementation of the GDPR and therefore fall under previous law, with the maximum fine being £500,000. The fines levied by the ICO during the past year would arguably be considerably higher under the terms of the GDPR.
Should you have any queries regarding compliance and/or the steps your practice may need to take one year on from the implementation of the GDPR, please contact a member of the CooperBurnett LLP Commercial team on tel: 01892 515022.