The Information Commissioner’s Office issued 22 monetary fines totalling over £3 million under the Data Protection Act 1998 and 23 monetary fines totalling over £2 million under the Privacy and Electronic Communications Regulation in 2018-19 while also handling more data protection complaints than ever before.
In its Annual Report published yesterday, The Information Commissioner’s Office noted a sharp rise in the number of data protection complaints handled by it as well as the number of monetary penalties and enforcement notices issued in 2018-19 compared to previous years.
The year saw the ICO issuing as many as 22 monetary fines under the Data Protection Act 1998 to firms for failing to prevent data breaches or suffering cyber incidents. Totalling £3,010,610, these fines included a £500,000 fine issued to Equifax, a £500,000 fine issued to Facebook, a £385,000 fine issued to Uber, a £325,000 fine issued to the Crown Prosecution Service, and a £250,000 fine issued to Yahoo.
The ICO also issued a fine of £15,000 as well as a further £6,000 in costs to Cambridge Analytica in January this year for failing to comply with an enforcement notice issued by it in May last year that directed the firm to provide a citizen with details of his personal data processed by it.
Only 0.05% of data breach cases resulted in monetary fines
The ICO also issued warning letters to 11 political parties in order to compel them to agree to audits of their data protection practices, issued an Enforcement Notice to SCL Elections Ltd to deal properly with a subject access request, issued an an Enforcement Notice to Aggregate IQ to stop processing retained data belonging to UK citizens, and announced an audit of the Cambridge University Psychometric Centre.
However, out of 12,385 personal data breach reports it handled in the period, the ICO issued monetary penalties to data controllers in only 0.05 percent of cases, while instructing data controllers to take further action in 17 percent of cases, and taking no action at all in 82 percent of cases beyond asking organisations to take steps to addresses data breaches.
In fact, between May 2018 and March this year, the ICO issued monetary fines in only 29 cases out of 11,468 data breach cases it investigated, indicating that only around one in every 395 investigations resulted in monetary fines.
According to the ICO, it takes actions, including issuing monetary penalties, based on several factors such as the cause of the breach, the detriment to affected individuals, the sensitivity of the data and the remedial measures taken by data controllers to address incidents and prevent recurrence.
The arrival of GDPR in 2018 as well as the enactment of the new Data Protection Act last year has forced organisations to report personal data breaches to the ICO at a much greater rate than before. In 2018-19, the ICO received 13,840 personal data breach reports compared to just 3,311 reports in 2017-18 and 2,565 reports in 2016-17.
“Many PDB reports come from sectors that handle large volumes of personal data. In some sectors, there is a strong correlation between the volume of reports received, the sensitivity of the data and awareness of reporting thresholds. For example, reporting can be higher where there are dedicated DPOs and well-developed breach reporting processes,” it said.
Earlier this year, security firm Redscan found that the ICO’s inability to act against data protection offenses was because of businesses’ inability to provide critical details to the watchdog and within mandated timelines.
According to Redscan, while more than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported, it also took businesses an average of 21 days to report breach incidents to the ICO after they were identified.
The firm also noted that less than a quarter of businesses complied with the requirement of reporting breaches within 72 hours of discovery. Out of 182 breach reports, only 45 were reported within 72 hours of discovery and one organisation too as long as 142 days to report a breach to the ICO. As many as 21% of organisations failed to report breach incident dates to the ICO.
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses. Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter,” said Mark Nicholls, Redscan director of cybersecurity.
ICO cracked down on nuisance calls & spam texts
In 2018-19, the ICO also received 138,368 complaints from the public about unsolicited marketing calls, telesales calls with recorded voices and spam texts compared to 109,481 complaints it received in the previous year.
Out of the 138,368 compliants it handled, the ICO served monetary fines to erring organisations twenty-three times and the fines totalled slightly over £2 million. It also disqualified 16 people from serving as a director thanks to an amendment in the PECR legislation that paved the way for directors to be held liable for monetary fines.
These fines included a fine of £40,000 to Vote Leave for sending 196,154 text messages to thousands of UK citizens without obtaining their prior consent, and a £40,000 fine issued to Grove Pensions Solutions Ltd for sending nearly two million direct marketing emails without consent.
In February, the ICO also fined Leave.EU £45,000 an Eldon Insurance £60,000 after concluding that both Leave.EU and Eldon Insurance used personal data of each other’s subscribers to send hundreds of thousands of direct marketing and political marketing messages without obtaining sufficient consent from targeted subscribers.