Although 2020 will undoubtedly become synonymous with a certain c-word that shall not be named, it has also perhaps seen a turning of the tide for the ICO’s enforcement approach. While the ICO has perhaps been criticised in the past for not taking a tough enough stance by not imposing large fines, it seems this is no longer the case.
Under the General Data Protection Regulation the UK’s Information Commissioner Office (like other EEA Regulators) has the power to impose a fine of up to the greater of €20M Euros or 4% turnover. If at the start of the year, you ranked EU countries by the amount/value of fines imposed since the GDPR was introduced in 2018, the UK would be fairly far down the list.
However having reviewed the ICO’s enforcement action over the course of 2020, it seems that the ICO is not afraid of issuing big fines where this is required and justified. This is evident over the last quarter of 2020 with the ICO’s fine on British Airways of £20M and Marriot of £18.4M (both resulting form a failure to put in place appropriate technical and organisational measures to secure personal data). While the ICO’s focus in 2020 has arguably been supporting organisations impacted by COVID-19 and in doing so adopting a pragmatic approach to enforcement, the BA and Marriot fines serve as a warning to organisations that the ICO does take enforcement seriously and will impose high fines where appropriate. It will be interesting to watch the ICO’s approach to enforcement next year after the expiry of the transition period.
ICO’s 2020 enforcement actions also indicate a clear focus on organisations failing to put in place appropriate technical and organisational measures to secure personal data. Failing to establish a valid legal basis, ensuring transparency and breaching marketing rules also appeared consistently in cases looked at by the ICO.
Going into 2021, we would recommend that organisations processing personal data ensure their data compliance plan involves key takeaways from ICO’s 2020 enforcement cases to minimise falling foul of the ICO. These include (don’t forget to include other issues relevant to your processing!):
- ensuring you are open and transparent with your data subjects about how you will process their personal data – no invisible processing;
- ensuring that you understand the marketing rules and comply with them including having a valid legal basis and that this is recorded;
- ensure that the security measures you implement to protect personal data are tailored to the risk/size/resources of the organisation and that it includes your supply chain;
- act quickly if your organisation is alerted to a problem that may constitute a personal data breach – remember organisations have 72 hours to report breaches to the ICO;
- continue to raise employees’ awareness of data protection matters through training/updates on key matters relative to their role. Remind employees that they must process personal data in line with the organisation’s policies and procedures.
If you would like to discuss your data protection requirements please contact Loretta Maxfield, Partner.