1st February 2018
With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the Information Commissioners Office (ICO) will be handed even greater powers than it has under existing data protection laws. From 25 May 2018, the ICO will be able to impose fines of 20 Million Euros or 4% of turnover (whichever is greater), compared with the £500,000 cap presently in place. MSI's Manchester law member Myerson provides further insight.
The Information Commissioners Office (ICO) has recently given fines of £400,000 to Carphone Warehouse for its failure to have adequate measures to protect against cyber-attacks, as well as a fine of £150,000 to Woodgate & Clark Ltd, a record fine for the unlawful disclosure of personal data obtained using private detectives.
The Carphone Warehouse case concerns a security incident in 2015 when hackers gained unauthorised access to the personal data of more than 3 million customers and 1,000 employees.
In issuing the fine of £400,000, which represents one of the largest fines handed by the ICO to date, the ICO found that there were multiple inadequacies in Carphone Warehouse’s approach to data security, including the use of out-of-date software and inadequate measures to identify and purge historic data.
In the case involving Woodgate & Clark Ltd, the ICO found that the actions taken by the company, which involved the use of private detectives, constituted illegal acquisitions of personal data. The fines totalled over £150,000, with the company being fined £50,000 (and £20,000 costs), a director being fined £75,000 and the senior loss adjusters being fined £30,000.
These penalties represent some of the highest fines ever imposed by the ICO and demonstrate the continued efforts of the ICO to combating inadequate security measures, poor practices, misuse and exploitation of personal data by businesses.
Elizabeth Denham of the ICO stated, “as well as these record fines, the organisations and individuals involved also face serious reputational damage as a result of being prosecuted by the ICO”.
Indeed, the damage a business experiences for failure to comply with data protection laws goes far beyond the level of the fine imposed. The breakdown in trust between a business and its customers could have serious consequences for its future profitability and the reputational harm to the business can be severe.
It is crucial that businesses review their existing practices, policies and procedures in anticipation of 25 May 2018 to ensure it will be compliant with GDPR. It is widely anticipated that the ICO will be seeking to impose greater penalties on businesses who fail to demonstrate compliance with all areas of GDPR, including data security, retention of data, consent issues and unlawful direct marketing practices.
If you would like to speak to one of our solicitors specialising in GDPR about compliance or any aspect of data protection law, please contact Myerson
Myerson was founded in Manchester, Cheshire over 30 years ago and is a leading, full service commercial and private client law firm providing bespoke legal advice to businesses and affluent individuals across Manchester, Cheshire, the UK and beyond.
View firm profile
New headquarters for @MSI_Global in London. We recently moved our headquarters to 10 Queen Street Place at the Lon… https://t.co/sk8PY556yB
Register for our free webinar and international panel discussion on trading with the UK post Brexit. Leading accoun… https://t.co/EsDqZVlRYD
MSI's Portuguese member Moneris @RPA_Moneris launches new mobile app to help clients plan and manage #tax payments… https://t.co/yIYisFWqPm