The ICO continues to undertake enforcement action under the previous Data Protection Act 1998. It applies where the breach was before 25 May 2018, when the GDPR and Data Protection Act 2018 came into force.
We have seen from recent enforcement action that the trends continue... data protection and security is not being taken as seriously as it needs to be. We've seen Heathrow Airport and its unencrypted memory stick with personal details and airport security details (and hence a fine of £120,000) and Bupa Insurance's systems being able to be used by a staff member to extract hundreds of thousands of customer details which was then placed for sale on the dark web (and then a fine of £175,000). Along with that comes the cost of dealing with the issues when they were found out and the reputational damage. Key takeaways are: secure data when in transit (but don't be so prescriptive that people try and get round the rules, so causing greater risk) and ensure database access is proportionate and monitored - check for unusual activity / large downloads.
Whilst we can diligently help deal with any data breach scenario which may need to be reported quickly to regulators, contract parties and/or individuals, we would rather help prevent that being the case in the first place. Why not take one of our mock breach scenario training sessions, to test the resilience of your operational processes and practices? Or have a review of your compliance approach and key risk areas?
It's also worth noting that enforcement includes organisations who have failed to pay their new data protection fee. This topic hasn't been covered in as much detail as the GDPR or DPA 2018, but is in a separate set of regulations which also came into force on 25 May. If you have a current data protection registration, it continues to be valid until its expiry date. However you will then switch to the new regime. If your organisation is a data controller and hasn't yet paid its fee (under the old or new regime), you can look at a checklist to see if you still need to pay or if a limited set of exemptions apply. The checklist can be found here. Note however that there is another set of exemptions, so that if you only process personal data for limited purposes as set out below, your organisation will not need to pay a data protection fee.
The exemptions include where you only process personal data for one or more of the following purposes - if you process for other purposes then you may need to register unless another exemption applies:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
Get in touch with one of our team to see how we can help you.