On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlight key considerations for businesses and organisations in 2020.
Learning lessons from 2019
Storing Personal Data and Cyber-Security
The ICO has made it clear that it expects organisations to be rigorous in ensuring there are appropriate technical and organisational measures in place to prevent data breaches. An estate agency was fined £80,000 for inadvertently allowing personal data to be accessed on a server. The ICO found that the contraventions of the Data Protection Act were not deliberate but that the company had failed to reasonable steps to secure the personal data. The London Borough of Newham was fined £145,000 after the details of individuals who had been placed on the Metropolitan Police’s gang matrix were leaked, even though the ICO was not able did not establish how the leak had occurred. It focussed on the fact that personal data had been circulated via e-mail in an unredacted form, and a series of other compliance failures.
The ICO has not been sympathetic to data controllers who have been the subject of cyber-attacks where there were not appropriate technical and organisational measures in place to identify and guard against such attacks. DSG Retail limited, the owner of Currys PC World and Dixons Travel stores, was fined £500,000 following a cyber-attack. The attack resulted in the extensive compromise of its computer system over a 9 month period. The attacker was able to install malware in points of sale terminals and collect payment card details. The breach affected more than 5 million payment cards, and personal data from approximately 14 million data subjects was exfiltrated. The timing of the breach meant that the ICO’s action against DSG Retail was brought under the Data Protection Act 1998 and the Enforcement Notice stated that “but for the statutory limitation on the amount of the monetary penalty [contained in the 1998 Act], it would have been reasonable and proportionate to impose a higher penalty”. The ICO also issued notices of intention to fine Marriott International nearly £100 million and British Airways more than £180 million under the Data Protection Act 2018 for GDPR breaches related to cyber incidents. The message of the ICO at the time that GDPR was coming into force was that firms should not be alarmed by new enforcement powers, but it made clear in 2019 that it was willing to issue significant monetary penalties to international companies for large-scale data breaches.
In the digital age it is easy to focus on ensuring that IT systems are secure but the security of physical documents should not be neglected. A pharmacy was fined £275,000 under the Data Protection Act 2018 for the inappropriate storage of documents containing personal data and special category personal data. The documents had been stored outside in unsecured crates. The ICO did not find that the information had been taken or used by a third party but issued a fine for failing to provide “adequate protection against unauthorised or unlawful processing, accidental loss, destruction or damage”.
Classifying and Lawfully Processing Personal Data
GDPR prohibits the processing of special category data unless one of a limited number of specific conditions are complied with. The importance of identifying what constitutes special category personal data and taking appropriate measures was underlined by the 2019 enforcement notice issued by the ICO against HMRC. HMRC was storing voice data as part of a voice recognition system for its phone line. The characteristics of a person’s voice was found by the ICO to constitute biometric data, and should have been treated as falling within a special category of personal data. HMRC had not taken the requisite compliance steps to process this data, and was ordered by the ICO to delete all the biometric data held under the Voice ID system which it did not have explicit consent to use.
Sharing of Data and Data Brokerage
The growth of big data analysis in recent years has been accompanied by growing privacy concerns about how data obtained through online activity is used and processed. The ICO fined Bounty, a firm that provided services to pregnant women and new mothers, £400,000 for supplying more than 35 million records to third parties for the purpose of electronic direct marketing. The ICO found that Bounty had not used personal data fairly nor in ways that data subjects would reasonably expect. The fine was one of a number that have been issued as part of a wider investigation into the data broking industry.
Subject Access Requests
The right of data subjects to access their personal data through subject access requests was enshrined in the Data Protection Act 1998. The 2018 Act adjusted the regime and the introduction of GDPR brought about growing awareness of data rights. The Metropolitan Police Service informed the ICO that it had received an “unprecedented rise in demand for public access to data since the introduction of the DPA in May 2018” but was still served with enforcement notices under the 1998 and 2018 Data Protection Acts for “sustained failures to comply with individuals' rights in respect of subject access requests”. The MPS were ordered by the ICO to update internal systems, procedures and policies.
Organisations who do not expect to routinely receive subject access requests should still be diligent in their responses to them. The ICO issued an enforcement notice against a finance company for failing to comply with a subject access request; and brought a criminal prosecution against a property developer that had been the subject of an enforcement notice requiring it to comply with a subject access request and had failed to do so. Please see our guide How to respond to a subject access request: a step by step guide for organisations which is intended to make responding to SARs as straightforward as possible.
Almost a quarter of all enforcement action recorded by the ICO has been enforcement action against the marketing sector. Action in 2019 included:
- A fine against a glazing company of £120,000 for making unsolicited direct marketing calls;
- A fine against a boiler replacement and repair company of £160,000 for making unsolicited direct marketing calls;
- A fine against a home security company of £90,000 for making unsolicited direct marketing calls;
- A fine against a financial services firm of £40,000 for sending almost 2 million direct marketing e-mails;
- A fine against a firm sending unsolicited text messages relating to PPI claims of £120,000;
- A fine against a company using unsolicited calls to sell funeral plans of £80,000;
- A fine against EE Limited of £100,000 for sending over 2.5 million unsolicited e-mails.
Large-scale unsolicited marketing in breach of the Privacy and Electronic Communications Regulations continues to be an area of focus for the ICO.
Enforcement action and future trends in 2020
We have previously written about the ICO’s priorities for regulatory action. Strategic plans in respect of information rights and technology provide insight into where the ICO’s focus for regulatory action will lie. As foreshadowed by these documents, 2019 saw enforcement action taken against the data brokerage industry, and as a result of cyber security breaches. It is expected that investigations and enforcement action related to these matters will continue into 2020. The ICO’s campaign against those making unlawful marketing approaches through nuisance calls and messages is also likely to remain a focus of the regulator.
Co-ordination between the ICO and other regulators was apparent from the enforcement action in 2019, the action against the pharmacy mentioned above was a result of a referral from the Medicines and Healthcare Products Regulation Authority and the action brought against the financial services firm described above resulted from a referral from the Financial Conduct Authority. As awareness about information rights and obligations grows, it is like that ancillary ICO investigations will stem from actions and investigations by other regulators.
The ICO is likely to be a key regulator in the government’s move to promote ethics and innovation in the AI sector. Investigations and enforcement action against organisations and businesses developing and employing AI could be seen in 2020.
The GDPR stated that children’s personal data merits specific protection and it is likely that organisations which process such personal data will also come under scrutiny. The Information Commissioner was reported to have informed a parliamentary committee that there is an active investigation into video sharing app TikTok.
While the ICO’s investigatory focus is likely to be on those processing particularly sensitive personal data and personal data on a large scale, the enforcement pattern for 2019 underlines the importance of GDPR compliance for all business and organisations handling personal data. The growing public awareness of information rights and obligations, coupled with new reporting requirements and increased regulatory co-operation, is likely to prompt investigations into data controllers who would not have otherwise been targets for regulatory action. The importance for all data controllers of careful compliance planning, and swift remedial action in the event of a data breach, cannot be underestimated.
About the authors
Emily Carter is a Partner in our Public Law team with expertise in public inquiries, major inquests and internal investigations. Emily also has significant expertise in Data Protection law and the application of the GDPR.
Fred Allen is an associate within the Public Law Department and International Crime Group. He has worked on a range of public law challenges and matters including public inquiries, inquests, judicial review proceedings and tribunal appeals.