READING THE FINE PRINT:
WHAT YOU MAY HAVE MISSED IN THE ICO’S REGULATORY ACTION POLICY
Three years ago, when a CEO picked up the phone to discover that the personal details of their customers had been stolen by cyber criminals, they could discuss it, ironically, in the privacy of their boardroom. Rather than worrying about disclosure, and how they were going to tell their highly-valued patrons, they could consider whether to tell them at all.
Just writing that sentence now seems incredibly anachronistic. In an era when privacy is a key concern for customer loyalty, and regulations such as the GDPR create significant corporate liabilities for negligence, boards are making every effort never to receive that phone call. But when they do, they are paying close attention to how they should proceed in the eyes of their customers, investors and regulators. In this respect, the ICO’s lesser-read Regulatory Action Policy offers some valuable guidance beyond the GDPR, in particular on the fines it may seek to levy and why.
At 29 pages, the updated Policy is almost double the length of its predecessor, and offers a far more detailed and prescriptive guidance to help organisations shape their ‘risk-based approach’ to GDPR compliance. Although still in draft form, the Policy is currently before Parliament awaiting approval and few major changes are expected.
The first thing to note is that penalties under the GDPR are divided into two tiers, and only violators of specific provisions of the GDPR are liable for the eye-watering penalties at the higher end of the scale. Secondly, the highest fines will be reserved for the most egregious violators.
The Commissioner has made it explicitly clear that intentional, wilful, neglectful or repeated breaches, particularly those that have a high impact on individuals can expect stronger regulatory action. Moreover, failure to follow relevant advice, warnings or guidance from the ICO will also be viewed unfavourably.
However, assuming your organisation is keen to follow the rules, two key considerations emerge as having the greatest influence on the fine (if any) you receive in the event of a breach, namely;
How your organisation protects personal data; and,
How your organisation responds to the breach.
The ICO’s method for calculating penalties
The organisational and technical measures your organisation has in place will play a large part not only in preventing data breaches from occurring, but in reducing the fine if a breach does occur.
The recent Heathrow Airport case provides a prime example where a failure to implement appropriate protective and preventative measures was considered an aggravating factor by the ICO. In October, the airport was fined £120,000 after an employee lost a memory stick containing personal information of up to 50 staff. This error is not outside the realm of possibility for most organisations, as most of the compromised information was contained incidentally within a training video, and was only visible for approximately three seconds.
In their penalty notice, the ICO highlighted Heathrow’s failure to implement technical measures and train its staff to prevent data exfiltration. Blocking USB ports, encrypting mobile storage devices, and delivering information security awareness training were three relatively cheap and straightforward measures that Heathrow could have applied in this instance to prevent the breach from occurring.
Even though the fine was issued under the previous legislation (the Data Protection Act 1998) the emphasis placed on the lack of technical controls and training suggests this will continue to be the focus of the ICO’s future investigations.
Life’s a Breach
As the head of the UK’s National Cyber Security Centre has asserted, data breaches are now a matter of ‘when, not if’, and the ICO’s Regulatory Action Policy recognises this reality by being lenient towards organisations who respond to incidents promptly and appropriately, and penalising those who do not.
With this in mind, it makes sense to have a plan in place for when the inevitable happens. Coordinating the right people and collecting the necessary evidence to notify the ICO within the 72-hour reporting period is deceptively challenging, and a slick and timely response to a data breach requires significant planning and practice. At a minimum, organisations should develop a breach response plan to follow when an incident occurs. Better still, testing that plan through table-top exercises and simulated scenarios will provide peace of mind that the right people will be called and that they will know what to do. This could be the difference between a steep fine and a slap on the wrist.
Uber demonstrated the importance of this last month when it was fined £385,000 for compromising the personal details of 2.7 million UK customers. Part of this figure was attributed to their failure to notify the Commissioner or affected data subjects when they discovered the breach. The Commissioner also concluded that their delay in reporting the breach is likely to have ‘compounded the distress’ that affected individuals suffered. Still, Uber should consider itself lucky, as the date of the incident meant it was fined under the previous legislation, which capped penalties at £500,000.
GDPR – A game of two halves
In the lead up to the enforcement of the GDPR, organisations had to find out what personal data they held and establish their grounds for processing it. This initial phase saw privacy policies reviewed, consents obtained, and notifications to data subjects updated to demonstrate compliance. Whilst these steps are key requirements of the GDPR, they are just the beginning of reaching business as usual under the regulation. The ICO’s Regulatory Action Policy makes it clear that organisations can best protect themselves by focusing their attention towards how they secure their personal data, and how they will respond if they lose it.