Table of Contents
You may be aware of the Information Commissioner’s Office’s (ICO) power to fine UK organisations up to £17.5m for breaches of data protection law. However, some company owners mistakenly believe that the ICO will only financially penalise businesses for intentional misconduct. Unfortunately, this is not necessarily the case. This article will consider the extent of your liability for accidental GDPR breaches related to an ICO fine. This, in turn, will help you appreciate why you should take steps to avoid ICO fines.
What is the ICO?
The UK Government created the ICO to enforce data protection rules against UK organisations. One of the ICO’s main objectives is to ensure that UK businesses comply with data protection rules. They do help businesses do so by providing helpful online guidance. To this end, the law gives the ICO board powers to enforce data protection laws. This includes the levy of hefty penalties on businesses that break data protection rules.
The primary law the ICO enforces is the General Data Protection Regulation (GDPR). Whilst the ICO can impose fines for breach of any part of the GDPR, the most common penalties occur when a UK organisation:
- fails to store personal information safely;
- suffers an avoidable cyber attack leading to loss of personal data;
- discloses personal information to third parties without lawful reason;
- exposes individuals (including staff and members of the public) to unreasonable monitoring methods; or
- does not provide personal data upon reasonable request (including subject access requests).
What is GDPR?
The UK General Data Protection Regulation (GDPR) is the primary data protection law in the UK. It makes clear that UK organisations should collect personal information for lawful purposes only. Where businesses collect personal data, they should ensure they store it safely, securely, and only for as long as necessary.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Are the Biggest Recorded ICO Fines?
The ICO has made headlines over the years with their hefty financial penalties against UK organisations. In fact, during 2020 and 2021, the ICO handed down fines of over £40m.
Whilst most ICO fines will be in the region of thousands or tens of thousands of pounds, the most considerable penalties are in the millions. Examples of some huge ICO fines include:
- British Airways £20m fine – BA suffered a cyber attack that leaked the details of nearly half a million customers in 2018;
- Marriott Hotels £18.4m fine – the hotel chain took four years to realise that a cyber attack had occurred in 2014, which led to guests losing their contact and passport details;
- Clearview AI £7.5m fine – the company collected personal images of individuals for their global face recognition network without prior consent; and
- Ticketmaster £1.25m fine – the company failed to implement appropriate security on its electronic payment page, leading to the theft of credit card information relating to 1.5 million people.
Naturally, the ICO investigation imposed such hefty fines due to the scale of the harm caused and the number of people impacted.
Liability for Accidental Breaches
We all may have differing interpretations of what counts as an accidental GDPR breach. But generally, accidental GDPR breaches describe conduct that, while technically amounting to a breach of the law, was not undertaken with the intention to do so.
For example, consider that accountancy aims to send a set of accounts to their client, Super Fast Lorries Limited. However, they mistakenly send it to a different company, starting with the letter ‘s’. This can be an easy mistake when using email software that aims to autofill email address information!
This would constitute an innocent or accidental error because it wasn’t an intentional mistake nor due to an unreasonable company policy.
But does the fact that this was an accidental breach of DGPR protect the company from an ICO fine?
The answer is, unfortunately, not. Legally, accidental GDPR breaches often amount to negligence. Accordingly, the ICO calculates fines based on the harm caused to individuals by leaking personal information. If those accounts contained personal data relating to individuals, such as their salary, national insurance numbers and home addresses, it would be a serious personal data breach! Accordingly, the ICO may assess a fine against the accountancy.
LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.
Key Takeaways
As with most things, the best policy is prevention rather than cure. The ICO’s website contains helpful guides to ensuring good GDPR compliance and minimising the risk of serious mistakes. Many business owners carry out annual data protection audits to assess risk areas, and expert lawyers can help put proper procedures in place.
If you need help with GDPR compliance and correspondence with the ICO, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Whilst the ICO only awards fines in the millions on rare occasions, it routinely hands down penalties in the thousands or tens of thousands of pounds for serious offences.
The ICO can issue massive financial penalties to deter UK organisations from taking data protection lightly. Since introducing the GDPR, most UK businesses have taken proactive steps to avoid the risk of substantial fines.
We appreciate your feedback – your submission has been successfully received.
