When it comes to data protection compliance the (Farrow &) Ball is in your court

Recent enforcement action against well-known paint and paper specialist, Farrow & Ball Limited, provides a timely reminder of the need to keep on top of data protection compliance.

The enforcement action in this case related to non-payment of the annual data protection fee. As a Tier 3 organisation Farrow & Ball Limited is required to pay an annual fee of £2,900. After failing to make the payment, the company was issued with A Notice of Intent by the Information Commissioner’s Office which it disregarded. As a result, a Monetary Penalty Order in the sum of £4,000 was duly issued.

Farrow & Ball Limited appealed the Monetary Penalty Notice to the First-Tier Tribunal. The company submitted that its non-payment of the data protection fee was an innocent mistake and requested that the £4,000 penalty be waived. In support of its position, Farrow & Ball Limited argued that:

  • The reminder from the Information Commissioner was sent whilst Farrow & Ball's representative was on holiday.
  • Further reminders should have been sent.
  • Correspondence from the Information Commissioner addressed to the company secretary was not recognised as important internally.
  • The Information Commissioner was contacted promptly once the error was noted and the data protection fee paid immediately.
  • The company had learned from its mistake and put procedures in place to ensure that there would be no repeat of the breach.

The tribunal was not convinced by the arguments put forward and found in favour of the Information Commissioner, upholding the Monetary Penalty Order. In reaching its decisions, the Tribunal noted that Farrow & Ball Limited had not advanced any reasonable excuse for its failure to comply with the regulations and observed that a reasonable data controller would have systems in place to comply with the regulations. The Tribunal held that Farrow & Ball Limited had not been able to point to any particular difficulty or misfortune explaining its departure from the expected standards.

Whilst this is not the only example of recent enforcement action by the ICO in relation to payment of data protection fees the Tribunal’s response to the arguments put forwards by Farrow & ball Limited is a timely reminder to all organisations that they must:

  • Take a proactive approach to compliance requirements through proper process and procedure.
  • Ensure all staff are sufficiently trained so that they are able to recognise the importance of matters concerning data protection compliance.
  • Respond to any communication from the Information Commissioner’s Office promptly and in accordance with any deadline set.