In 2020, the Information Commissioner’s Office (‘ICO’) has delivered two significant decisions. Taken together they provide a comparison of the ICO’s enforcement powers in relation to significant data protection breaches.
The maximum potential fines available to the ICO under the General Data Protection Regulations are fairly well known, at €20million or 4% of annual global turnover (whichever is greater). The ICO has a wide discretion in when to apply such fines, and provides guidance in both its Regulatory Action Protocol (‘RAP’) and article 83 of the GDPR itself.
The RAP suggests a penalty is more likely if:
Other factors and situations which may affect the size of any penalty include:
Where a fine is not imposed, the ICO has access to other tools beyond monetary penalties, such as warnings or enforcement notices. These can represent a significant non-financial burden and may forecast a stronger enforcement approach for future breaches.
The ICO’s decision against British Airways (‘BA’) provides a clear illustration of how fines are calculated. Some of the major factors included:
Positives
Negatives
The two-year investigation into Experian, Equifax and TransUnion illustrates differences in approach; while the ICO found ‘significant data protection failures’ at each of the three, Equifax and TransUnion made improvements requested during the investigation, withdrew some products and services and face no further regulatory action.
On the other hand, according to the ICO Experian also made improvements, but was unwilling to fully comply. Steps Experian resisted included issuing privacy information directly to individuals or ceasing to use credit reference data for direct marketing. Experian has since released a press release confirming that in its opinion the ICO’s requirements exceeded the legal requirements.
The ICO has issued an enforcement notice with which Experian is required to comply. If Experian fails to do so, it will then face a fine under the GDPR, which would likely be significant; it has until July 2021 to comply with the notice, but in the meantime has already indicated it will be appealing the decision.
While the ICO has the ability to leverage significant fines, it will not always choose to do so, and when it does there is still room to make submissions as to why those fines should be lower.
A prompt, strategic response can often minimise any penalties, and reduce any disruption. If your organisation is facing a regulatory investigation or data breach, Ashfords’ Business Risk and Regulation Team can guide you through your response; advise on interactions with the ICO and help you minimize the risk of negative outcomes.
If you have any questions on the article above please contact the Risk & Regulation team.