GDPR was everywhere. So much so, it was easy to question whether the impact would match up to the hype. In the last few weeks, we’ve seen the first tranche of evidence that the punishment for not protecting and managing data within the law will be severe.
The ICO, which will be announcing all fines publicly, hit hard. For a variety of reasons, simple errors and omissions on behalf of businesses, the ICO has made it very clear that businesses are accountable, threatening not only reputation and consumer trust but also showing that data breaches will be a huge financial liability too.
In July alone, the UK fines equalled £285M:
- BA: £183M — lack of necessary or diligent enough process
- Prod Co: £120K — lack of consent from contributors
- Marriott: £99M — insufficient due diligence
- Estate Agency: £80K — for personal data exposure incl. salary
The largest fine to date, BA and parent company International Airlines Group (IAG) were fined £183.39 million ($230 million) in connection with a 2018 data breach that impacted ~500,000 customers.
This fine is 1.5% of total revenue and £360 for every person whose data was impacted. If you’ve employed only 100 people in the last year — your exposure under similar circumstances would be £36,000.
The interesting thing about this case is that BA were hacked but they were still accountable and liable, due to poor processes in place allowing the breach to occur.
This is not an inconvenience, this is a very real threat. The ICO are actively pursuing all industries including the film and TV industry, and they have the authority to hold businesses publicly accountable.
“People’s personal data is just that — personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Information Commissioner, Elizabeth Denham.
If you were issued an ICO assessment tomorrow, how would your business fare?
A reminder of article 5 of the GDPR.
It requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary; and
- Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.
- Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
If you’re a Production Company keen to ensure your processes are compliant with GDPR and other regulation, get in touch today on email@example.com.