This week all eyes are on the future. There’s just one year to go until the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and we have the promise, in the Conservative Party’s manifesto, that here in the UK we will be getting a new data protection law that is “fit for our new data age”. Of course preparation for the GDPR and any other change in the law is important, bringing, as it does, new non compliance risks for businesses, but let’s not forget that most of the significant risks are already with us. Yes, higher fines are in prospect, but the basic requirements to keep personal data secure, to treat personal data responsibly and to respect individuals rights are part of the law now and will remain largely unchanged under the GDPR. And it’s these areas that I’d expect to continue to be the ones where regulators, and in particular the ICO, focus most of their attention.
In this connection it is instructive to look at some of the latest fines imposed by the Information Commissioner, Elizabeth Denham. Of course there’s the headline grabbing, record fine of £400,000 against Keurboom Communications for making something of the order of 100 million nuisance calls. Looking beyond this though there was a fine of £55,000 against Construction Material Online Ltd who failed to protect customer’s personal information, including credit card details, when their web site was subject to an SQL injection attack, something that the ICO has warned against, and imposed fines for, time and time again. Then there’s a fine of £150,000 against Greater Manchester Police, who are now in the ranks of those who’ve been fined more than once, after an inadequately protected DVD containing footage of interviews with victims of violent or sexual crimes was lost in the post. Again this is something that the ICO has warned about and imposed fines for in the past. There have also been fines against a multitude of charities for misusing donors’ personal data through activities such as wealth screening and trading the data with other charities in a way that, the ICO says, would not have been apparent to or understood by the donors concerned.
Over the last year we’ve also seen the Information Commissioner willing to use her enforcement powers to underpin individual rights, in particular the right to subject access. Failures by businesses to deliver subject access don’t currently attract fines because, generally, they don’t meet the threshold of being “of a kind likely to cause substantial damage or substantial distress” but they are nevertheless treated seriously by the ICO. This threshold for fines will be removed once the GDPR comes into force so maybe we’ll see the Commissioner extending her fining activities to those businesses that fail to respect individual rights.
It would be surprising though if Elizabeth Denham were to move away from directing her fines to where there is the greatest risk of harm to individuals, however broadly “harm” might be defined, and on to more technical matters of compliance. So important though GDPR preparation is, it shouldn’t be at the expense of businesses taking their eyes off today’s developing risks to personal data and failing to learn and apply lessons from the ICO’s fines and other enforcement action. Even after the GDPR is in force next year I’d be surprised if the ICO’s list of fines isn’t still topped by those who flout the rules on electronic marketing communications such as call and texts, unless, in the meantime, there has been a very rapid and unexpected turnaround in behaviour by the business community concerned. I have little doubt that security breaches will still feature prominently, more general misuse of personal data that impacts on individuals may well be receiving more attention than now and failures to respect rights could be attracting fines for the first time. However I can’t see that what might be considered to be more technical breaches of the GDPR requirements, such as shortcomings in meeting the documentation requirements, are likely to feature on the Commissioner’s list unless they have contributed directly to some more fundamental failure.