Stop us if you’ve heard this one before: organisations that fail to meet the requirements of the GDPR (General Data Protection Regulation) face fines of up to €20 million (about £17.3 million) or 4% of their annual global turnover.
Experts have been warning organisations about this since long before the Regulation took effect on 25 May 2018, but their advice has started to fall on deaf ears. That’s somewhat understandable, given that no UK organisation has yet been disciplined under the GDPR.
But that’s about to change – and here’s why.
GDPR fines expected in June
The UK’s supervisory authority, the ICO (Information Commissioner’s Office), doesn’t issue fines lightly. This has been the case for years, and that’s why it typically takes about twelve to fifteen months for it to complete investigations and decide upon disciplinary measures.
You can browse the ICO’s recent enforcement actions for evidence of this. For instance, an investigation into the pregnancy and parenthood advice club Bounty UK was launched on 30 April 2018 and concluded last week with the ICO issuing a £400,000 fine.
Likewise, the data protection watchdog began communications with the London Borough of Newham in April 2018 after complaints that it had breached the personal data of more than 200 people. On 4 April 2019, the ICO issued a fine of £145,000.
Other investigations that have recently concluded include an NHS manager who misappropriated information, a funeral home that sent nuisance calls to thousands of people and a television company that filmed a maternity ward without parents’ consent. These incidents were all reported to the ICO in November 2017, meaning the supervisory authority spent more than a year investigating.
When you consider that alongside the fact that the GDPR can’t be applied retroactively, it’s easy to see why we’re yet to see a fine under the GDPR in the UK. It’s not that organisations have gone unpunished in the past year; it’s that the ICO has been working through breaches that occurred before the Regulation took effect.
With the ICO now concluding investigations into incidents that were reported at the end of April 2018, it’s only a matter of time before the authority moves on to incidents that occurred on and after that landmark 25 May 2018 date.
If the ICO maintains its twelve-month timeframe for investigations, we could see the first GDPR fine in the UK in late May or early June.
Which organisation will be the first to be fined?
Regulatory fines aren’t handed out on a first come, first served basis, so it’s hard to say which UK organisation will enter the GDPR record books. Many people have speculated that the ICO will be looking for a mammoth fine to make other organisations sit up and take note.
That was certainly the case in France, whose data protection regulator, the CNIL, fined Google €50 million (£44 million) in January. The ICO is also investigating the Internet giant, and we wouldn’t be surprised if a similar penalty was handed out, but we doubt the decision will be made in the next few months.
A far more likely candidate is Dixons Carphone. The retailer was hit by a cyber attack in July 2017 but the damage wasn’t discovered for almost a year. The ICO commented: “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the [Data Protection Act] 1998 or [the GDPR].”
Another candidate for the first GDPR fine in the UK is the NHS. The organisation reported a coding error that exposed the personal data of 150,000 patients in early July 2018.
Unlike the Dixons Carphone incident, the breach occurred after the GDPR took effect and is a clear violation of the Regulation’s requirements.
Those affected had requested that their personal and health information should be used only for medical purposes. However, the SystmOne application never passed on the request to NHS England’s IT provider, meaning the information was also used for research and auditing purposes.
It’s not a devastating breach in the grand scheme of things, but it’s still a violation of the individuals’ right to object to processing – one that could prove to be a regulatory landmark.
Looking for a fast and affordable route to GDPR compliance?
The organisations that have come under investigation for GDPR violations haven’t failed for a lack of effort. Their shortcomings are more likely a result of the complexity of the Regulation’s requirements, and the cost and disruption of implementing them.
These challenges are particularly tough to overcome for SMEs, which often lack the resources to tackle implementation effectively. Unfortunately, they are also the most likely to suffer from GDPR violations, with a regulatory breach potentially causing ruinous financial and reputational damage.
You can avoid that fate with IT Governance’s GDPR Quick-Comply for SMEs. This bundle is tailored specifically for smaller organisations, providing essential resources, like staff awareness training and a documentation toolkit, to fast-track your implementation project.