It’s holiday time, but the ICO keeps busy.
You will either have had your annual summer break by now or be preparing for it. Whichever we hope you have, or had a relaxing time. The period from now to May 25th 2018 is going to be quite busy for most businesses. The work required to prepare for GDPR will add to the burden of existing work. But it is important that from this point on businesses make this work a priority.
We have resisted using the general scare tactics around the penalties that the ICO will have at their disposal from May next year. Generally, we don’t see this as a driver for implementation. Many organisations view the risk of being prosecuted by the ICO as a small risk; particularly smaller companies who feel prosecution is only for large organisations that do really bad things and loose loads of personal data.
Looking at the Information Commissioner’s Annual Report for 2016/2017 there has been a significant upturn in the number of penalties awarded and prosecutions. There has been a 50% increase in criminal convictions and 267% increase in section 55 DPA offences: Section 55 refers to unlawfully obtaining personal data. Is this due to a change of regime at the ICO, or could be that the public are more aware of their rights? The commissioner did report an increase in reported incidents of 2000 taking them to 18,300 in the year to 31st March 2017.
The increase in penalties awarded was also significant. In the last financial year, the penalties handed out under the Privacy in Electronic Communications Regulation (PECR) (a regulation that sits alongside DPA) amounted to £1,923,000, the largest being £270,000. Fines under the data protection acted added £1,624,000 to the pot, with the largest being £400,000: 80% of the maximum that can currently be awarded. In addition to this there were fines awarded in criminal cases.
Our GDPR specialist regularly looks at the actions taken be the ICO (they can be found here https://ico.org.uk/action-weve-taken/) and the rising trend in penalties seems to continue. From April 1st to July 26th 2017 the ICO has handed out over £600,000 in fines under the DPA with the largest being £150,000 and £850,000 under PECR with the largest being £400,000. A whopping £1,503,500 has already been awarded in the first four months of 2017/2018 financial year, 42% of the 2016/17 total. If the trend continues this could mean an 127% increase in penalties this year.
With the evident increase in enforcement from the ICO and the increase in reports from data subjects there has to be an increase risk to businesses of getting caught if they are not compliant. From next May, don’t forget the penalties will be a lot higher too!
I hear the smaller companies saying “the ICO won’t be interested in me” don’t be too sure about that.