On 8 July, the ICO issued a statement confirming it had issued a notice of intention to fine British Airways a sum of just over £183 million relating to a cyber incident notified to it by the airline in September 2018. The incident, in part, involved user traffic to British Airway's website being diverted to a fraudulent site, allowing customer details to be harvested by attackers. The ICO found that personal information had been compromised by poor security arrangements, including in relation to log-in, payment card, travel booking and personal details.
The following day, the ICO issued a similar statement - this time of its intention to fine Marriott International just over £99 million, again relating to a cyber incident notified to it by the hotel chain in November 2018. This arose from a variety of personal data within 339 million guest records globally (including 7 million in the UK) being exposed. Interestingly, it appeared that the vulnerability arose in the systems of the Starwood hotels group in 2014, which Marriott then acquired in 2016, but did not discover until 2018. The ICO stated that its investigation found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems on acquisition. This signals a clear warning of the importance of proper due diligence within corporate transactions, not only to asses what personal data is being acquired, but how it is currently being protected.
While it is understandable that these first significant fines attracted headlines, it is important they are seen in the proper context. Some comfort may be taken by employers from the less publicised review published by the ICO of how GDPR has operated in practice in its first 12 months of operation. This makes very clear that GDPR is not just about big fines and that the ICO will use the full range of regulatory powers open to it, including supporting organisations to comply with the law and providing advice to them.
This appears to be borne out by the evidence. The update noted that of 14,000 personal data breach notifications received by the ICO from organisations (an over 400% increase on the previous year) the ICO closed over 12,000 of those cases. Of these, only 17.5% required any action by the organisation and less than 0.5% of these led to either an improvement plan or a fine. An example was given of a nursery which had reported itself after producing Father's Day cards with photos of each child within, to be taken home by the child in question. There had been two children at the nursery with the same name and somehow staff had mixed up the photos, each child taking home a card with a photo of the other child within. The ICO noted dryly that not only was no action required but that the breach was not reportable, given it was unlikely that any individual's right or freedoms were impacted by the wrong photo being included. As such, advice was provided to the nursery in relation to the reporting thresholds.
In another case, where formal action was taken by the ICO, an organisation had disclosed personal data to incorrect recipients, arising from staff not following established policies and procedures. The ICO required that certain steps be taken by the employer, including that all staff attend mandatory training and that policies and procedures be complied with and reiterated to staff on a regular basis.
As for when the powers to issue a monetary penalty might be used, the ICO referred back to its published Regulatory Action Policy, which made clear its commitment to target its most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures. There will also be a focus on breaches involving highly sensitive information or adversely affecting large groups of individuals or those impacting vulnerable individuals.
As such, from a HR perspective, with it being apparent from the above that staff are often the weak link in personal data security, it is vital to minimise the sensitive information held where possible, to always ensure it is appropriate secured, and above all, to ensure that staff training is carried out to support a robust culture of data protection. Any new HR system should also comply with the privacy by design and by default expectations.
Aside from monetary penalties, it also seems clear that the ICO has also sought to limit its use of statutory investigative powers - with only 11 information notices and 15 assessment notices being issued in the first 12 months of GDPR.
While it seems clear from this review that a pragmatic approach is being taken to the use of formal enforcement powers, there is of course no room for complacency. The review notes that the greater awareness of individual rights has inevitably seen a significant impact on the number of concerns raised by the public to the ICO. In the period from 25 May 2018 to 1 May 2019, their office received over 41,000 data protection concerns from members of the public, a huge increase from around 21,000 the previous year. This increase has also been supported by the ICO's Your Data Matters campaign.
Of the concerns raised, it was no great surprise to see that 38% of the concerns raised related to subject access requests, with this remaining the most frequent complaint category by far. The message seems to be that employers should assume that employees and other individuals are unlikely to hesitate in raising matters with the ICO if they believe their rights are not being complied with.
As for what lies ahead, a blog written by the Information Commissioner, Elizabeth Denham, hinted at this, noting that the focus for the second year of GDPR "must be beyond baseline compliance" and that organisations had to shift focus to accountability and being able to evidence that they understood the risks to individuals arising from their processing of personal data and how those risks were being minimised. Employers are advised to heed this warning and to focus on what steps they can now actively take to improve and demonstrate accountability, beyond the core suite of privacy notices and policies in place.