The UK Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR) went into effect this year, and the first enforcement actions came sooner than many industry analysts expected. There was a general expectation that GDPR enforcement would not be seen until early 2019, but the first notices ended up being served in late September. The Information Commissioner’s Office (ICO), the UK’s independent authority for both GDPR and DPA issues, was also not shy about handing out maximum and near-maximum DPA fines throughout 2018. These ICO fines are already well into the millions of pounds with most of a month yet to go in the year.
The 10 largest ICO fines to date cumulatively total about £5,000,000. The total fine amount for the year has yet to be tabulated but looks to be in the millions of pounds sterling ahead of the total fine amount collected in 2017.
This was also the first year in which ICO assessed the maximum fine amount (currently £500,000) to uphold information security standards. Facebook and Equifax earned this dubious distinction for their major data security lapses. Of course, these are the maximums under the DPA. ICO is also set up to uphold GDPR regulations, and the maximum penalties there are considerably higher – up to €10m or 2% of annual turnover for more common violations and €20m or 4% of annual turnover for breaches that impact the victim’s “rights and freedoms.” DPA and GDPR fines can be levied simultaneously, though as of yet ICO has taken just one significant GDPR action.
The first GDPR action
ICO’s first GDPR action was against AggregateIQ Data Services Ltd., a Canada-based digital marketing firm that was linked to the Facebook Cambridge Analytica scandal and did much of their work in recent years for groups supporting the Brexit campaign. The company was served notice to perform an audit within 30 days or face the maximum GDPR fine, and was also ordered to cease processing the data of UK and EU citizens during that time.
Overview of 2018 DPA actions
ICO was very active with DPA actions throughout 2018, fining companies in a broad range of industries.
The finance and manufacturing sectors were hit particularly hard, with several thousand companies failing to pay their annual data protection fee and being cited for it. These particular ICO fines are on a sliding scale that ranges from £35 to £2,900 depending on the company size and volume of personal data it processes. The fine can go up to £4,350.
The larger ICO fines (ranging from the tens to hundreds of thousands of pounds sterling) were issued to companies that made significant volumes of nuisance calls or sent similar marketing emails without consent, failed to have adequate data security measures in place, or revealed protected personal data in mass emails. Smaller ICO fines were levied against companies that failed to post required information notices when surveillance measures were in place, and several individuals who made off with protected data when they left an employer.
The public sector is not exempt from these rules, of course. Government entities that received ICO fines include Heathrow Airport (data security violation), the Gloucestershire Police (disclosure of personal data in a mass email), the University of Greenwich (data breach), and the Royal Borough of Kensington and Chelsea (unlawful identification of property owners).
The biggest offenders
Facebook earned the maximum £500,000 for their data security lapse in the Cambridge Analytica scandal. The rogue UK political consulting firm, which did most of its business supporting right-wing political candidates in elections throughout the world, gained illicit access to the personal data of 87 million Facebook users. They did this by way of a quiz app that was used by only 270,000 people, but once used it could hop through the user’s friend network scraping data. This fine is likely going to be only symbolic as Cambridge Analytica shuttered and filed for bankruptcy in May.
Equifax also earned a £500,000 fine for allowing hackers to steal a massive amount of sensitive financial information in a 2017 cyber attack. The credit reporting company is based in the United States and the scandal was centered on that country, but Equifax also has a UK branch that potentially exposed the data of 15 million citizens there. Equifax was “saved by the bell” so to speak, as the breach occurred just before GDPR regulations took effect. Had it happened after, they would have been on the hook for the maximum penalty.
Uber was presented with a £385,000 fine due to the 2016 breach in which the personal data of up to 2.7 million UK customers was potentially exposed. Hackers got away with basic personal contact information for customers as well as more detailed driving histories for Uber’s fleet of independent contractors. The issue was complicated by the fact that Uber opted to try to hide the breach by paying off the hackers instead of disclosing it, something that likely earned them both a higher fine and much higher costs in terms of negative PR.
Yahoo! UK Services Ltd. earned a £250,000 fine this year for an attack that took place in 2014. The 2014 attack exposed the contact information and passwords of 500 million Yahoo! users, with about eight million UK citizens among them. This case is particularly interesting in terms of data privacy for individuals outside of the UK. Russian state intelligence is believed to have been behind the attack and the information was stolen from servers in the United States. It illustrates that the choice of remote data storage provider and review of their security practices is vital even if companies store and move the personal information of UK residents outside of the country.
British Telecommunications was hit hard for sending spam emails, to the tune of £77,000. The company was flagged for sending about five million unsolicited marketing emails; BT felt that they should not be subject to ICO fines as the emails were soliciting charitable donations for organizations such as Giving Tuesday and Stand Up To Cancer. Regardless, the DPA requires customer consent for such emails which BT failed to properly secure.
ICO fines in 2018: Key takeaways
Though there has been little in the way of GDPR enforcement as of yet, ICO’s increased DPA activity should be an indication that it’s right around the corner. It’s true that some of the ICO fines under the DPA can be too small to be a real deterrent, but the GDPR changes that whole situation dramatically.
Many companies also appear to have missed that they are now required to pay a data protection fee – any organization that handles personal data, even if very small, is likely required to pay at least £35 to £60 annually to be registered.