(UK) GDPR: Consequences of Non-Compliance

Monday 21 February 2022

In her latest blog, Aisha Akhtar discussed the measures that each organisation needs to evidence in order to comply with the UK General Data Protection Regulation (GDPR). If you haven’t read that blog already, you can read it here.

In the run up to May 2018, when the GDPR first came into play, many organisations battled with the implementation of data protection measures to keep them on the correct side of the Information Commissioner’s Office (ICO), keen to avoid the hefty fines that the new legislation would impose for failure to comply. Since then, there have been numerous high-profile cases of organisations, including Government bodies, who have fallen foul of the GDPR and faced the full effect on their pockets.

An ultimate fine could be up to the value of £17 million or 4% of an organisation’s annual turnover (whichever is higher) for data breaches. It will come as no surprise, therefore, that a breach of the GDPR and Data Protection Act 2018 by the Cabinet Office in 2019 resulted in a penalty notice for the sum of £500,000 in November 2021 (and the publication of such notice on the ICO’s website in December 2021).

In the final days of December 2019, the Cabinet Office published the 2020 New Year Honours recipients’ list to the Government website, erroneously including the full postal addresses for each individual. By doing so, the Cabinet Office had not processed the personal data in such a way so as to ensure the maintenance of appropriate security, nor had they implemented technical and organisation measures associated with the process in the first place.

In this case, there were numerous teams involved but a fundamental issue revolved around the fact that the Cabinet Office did not have a specific sign-off process in place before documents were published.

The Cabinet Office had commissioned an independent review of their data handling practices and it was noted by Adrian Joseph, leader of the review, that errors “are too easily assigned to human error where a greater consistency of process, controls and culture across Cabinet Office could have reduced the risk systemically.” It was further noted within the independent review of the importance of regularly updating and promoting data handling documents and fixing failures within the IT systems used.

Another recent example of a failure to comply with Data Protection Principles includes HIV Scotland, who were recently issued a £10,000 fine for its organisational and technical security failures. The issue surrounded a failure by HIV Scotland in that they had sent an agenda for an event by email to 105 members who had all been CC’d rather than BCC’d, meaning that all of their email addresses were visible, some of which identified the individuals.

The ICO confirmed in this case that the email addresses themselves were not necessarily the issue, but the fact that these in combination with the agenda and the organisation revealed special category data about the individuals. It was further confirmed that the nature of the information was sensitive even if it wouldn’t be deemed as special category.

These examples highlight the importance of your organisation evidencing compliance with the (now) UK GDPR; to protect data and your organisation’s reputation and finances.

If you have any questions regarding your responsibilities as an organisation, please email or call Blacks’ Commercial Law team on 0113 207 0000.