Much of the rhetoric about the EU-GDPR, which comes into force in May 2018, relates to the danger of data breaches and the huge fines that may be imposed when they occur. This does not reflect the reality, based on precedents set by the UK Information Commissioner’s Office (ICO), acting under current legislation.
As of writing, since October 20th 2015, the ICO has issued a total of 93 monetary penalties; the average fine has been £86,000 compared to a maximum fine of £500,000. There are no cases published on the website before this date as they are removed after two years.
The ICO enforces two existing laws; the 1995 Data Protection Act (DPA) and the 2003 Privacy in Electronic Communications Regulation (PECR), both are based on EU Directives. It is the DPA that will be superseded in the UK by a new GDRP-like Data Protection Act currently going through the UK parliament.
53 of the fines issued by the ICO since Oct 2015 are under PECR, which covers misuse of telephone, SMS and email communications – i.e. nuisance calls and spam messages. The average for these over the last two years was £101,500, the largest to date has been £400,000, to Keurboom. When it comes to PECR, the more data subjects (citizens) that are impacted, the bigger the fine (see graph).
The remaining 40 fines were for data privacy issues under the DPA.
As part of a charity crackdown, mostly in April 2017, 13 fines were issued. Again, the number of data subjects matters. The ICO objected to the way charities, including Guide Dogs for the Blind, Cancer Research UK, The British Heart Foundation and the Royal Society for the Prevention of Cruelty to Animals (RSPCA), used data. This included sharing data with related charities (without the knowledge of data subjects), tele-matching (where information is sought out which data subjects did not provide) and wealth screening (seeking, through tele-matching, the richest donors). The average fine issued to charities was £14,000.
Another 10 fines were for misuse of data or for the potential risk of exposure of data. For example, Basildon Borough Council was fined £150,000 in May 2017 for publishing sensitive data on its web site and Pharmacy2U fined £130,000 in Oct 2015 for selling data without the consent of data subjects. The average of these 10 fines was £58,000.
The remaining 17 were for data breaches (the ICO became aware of about 4,000 during the period in question). These range £400,000 to TalkTalk Telecom for its leak of 157,000 customer records in 2015 to £400 for a laptop stolen from a historical society. In between was a £60,000 fine for Norfolk County Council for filing cabinet found in second hand shop containing seven paper files including sensitive information about children and £150,000 to Greater Manchester Police for a leaked video interview. The average fine for a data breach was £110,000. Most breaches fall to the bottom right of the graph, i.e. the seriousness of the privacy violation is a bigger factor than the number of data subjects impacted.
Given the maximum fine the ICO can currently issue of £500,000, for data breaches the average has been just 16% of this. The ICO is pursuing what it believes are the interests of UK citizens, it has limited resources and is not chasing down every breach, only those it considers most serious. Of course, organisations should be wary of the new legislation and taking care of customer data is good practice anyway. However, don’t take the scare stories being peddled by vendors and the popular press at face value.