What is the issue?
Earlier this month British Airways and Marriott International received notice for hefty fines (£183 million for BA and £99 million for Marriott) for breaches of data protection law. This is the first time that the ICO, the UK’s GDPR supervisory authority, issued notice for fines under the new data protection regime with the GDPR.
Is it similar to Facebook case last year?
Last year Facebook was fined by the ICO for serious breaches of data protection law. However, it was dealt with under the old data protection legislation, where the GDPR was not yet applied. The amount of the monetary penalty therefore was £500,000. This was the maximum fine under the old data protection law. Some news reported that the authorities lamented that the fine was too low (due to the maximum fine under the old legislation) given Facebook’s worldwide revenue of USD40 billion.
What is the maximum fine now then?
The maximum level of fines under the GDPR is EUR20 million or 4% of the total worldwide annual turnover of the undertaking (not the company), whichever is higher. This is a significant increase from £5 million under the Data Protection Act 1998.
Facebook must be relieved that the fine was calculated under the pre-GDPR regime?
I very much doubt it. One of the major allegations was that Facebook shared its data with Cambridge Analytica in breach of the data protection law. Facebook has just settled with the US Federal Trade Commission (FTC) to USD5 billion. However, there may be further investigations by other regulators in the near future. In any event, the ongoing personal data processing means that relentless compliance with the data protection law is vital to avoid fines under the GDPR.
What about in the UK?
In terms of the UK data protection regime, it was only last May when the GDPR and the Data Protection Act 2018 were introduced. The ICO recognises that data protection complaints it has received has doubled from the year 2017/18 (21,019) to the year 2018/19 (41,661). The ICO says it is taking action through enforcement notices and warnings. It is critical that we all get more pragmatic and to be proactive to comply with the new data protection law.
What is different from the old data protection regime in terms of compliance?
One of the important factors in complying with the new data protection law is to “demonstrate” that you are complying with the new data protection law. Your data controller(s) is/are responsible for compliance, but they also need to show that they are complying with the data protection law.
So, if I am not the data controller, I should not be concerned here?
Well, if you and/or your organisation are/is “processing” any personal information or data, you might have a number of direct obligations of your own under the GDPR. “Processing’ would include “recording or holding or carrying out any operation on any personal information or data”. Data processors must co-operate with the data controller(s). It is also important to note that you may be considered as a “data controller” if you are making decisions as to processing personal data.
What can we do to comply with the new data protection law?
This would include the adoption of adequate measures – such as an internal and external audit, for example. It could also include the implementation of appropriate data protection policies, amongst others. In order to do these things, you should review your current policies and procedures for data sharing, information security and data protection measures. You might also like to review your contracts – both within the organisation and with your suppliers.
At Cognitive Law, we are very happy to discuss your concerns on the GDPR compliance and to review your documents and/or to prepare necessary documents for you. Please feel free to drop me a line at mayumi.hawkes@cognitivelaw.co.uk or ring me on 020 3034 0501.