We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR), which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection.
There have been only two appeals suggesting that the ICO might be too cautious when deciding to make enforcement notices. The public sector don’t like losing this sort of case and will often be over cautious in assessing the chance of victory or too wary in taking on rich litigators.
It was suggested that the next couple of years, that there will be an increasing focus on enforcement actions, both staying prioritising PECR, and looking at compliance processes. I am not so sure.
The fine limits are defined in Article 83,
Infringements … shall, …, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
High fines will increase the drive to appeal and fight them but the supervisory authorities will want to demonstrate that a will to enforce the GDPR exists. It was suggested that the ICO will be part of this but the examples of penalties shown in the talk are towards the low or average end of the scale. One of the cases, was a typical jigsaw attack, a legitimate subject matter access request placed on a public-sector organisation leaked data about a third party who had an expectation of privacy. Fortunately, the organisation was able to demonstrate it had a system which had failed in this case; this reinforces one of the highlight lessons of the day,
You can fail and make mistakes, you can be wrong but you can’t not care!
There was a table/chart showing which of the DP Act principles had been breached, with 71% breaching the 7th Principle by failing to provide adequate IT security on personal data.
Defences will include policy and training and the implementation of encryption on the disk and removable media. Some argue that encryption is snake oil and by itself it is not adequate technical protection, but not using it for portable media is a clear failure to provide such protection.
During this session, in the light of the new penalties both parties will look to demand liability caps, the nature of the IT supply chain is going to change and it could be a shock for software vendors who have typically “license” with zero warranty.