Newsletter & Blog

The Costs of Getting Data Protection Wrong

The retailer claims that no customer payment data, such as credit card or bank account details, had been placed at risk, as such details are processed via third parties and are securely encrypted. There is also no evidence to suggest that any customer passwords were compromised and they are investigating whether customers' personal data, such as names, email accounts, addresses and personalised gift design, was accessed.


Funky Pigeon have informed the relevant authorities and regulators, and says it will continue to review its protocols based on what it learned from the incident.  A comment to be expected from a cyberattack victim.


It raises some questions for Funky Pidgeon of course, such as how will this effect customer and supplier confidence?  How much will it damage the brand and what will be the reputational fall out?  All of that before remediation costs and any penalties from the ICO kick in.


Of course, that’s all speculation at the moment and until Funky Pidgeon and the ICO have completed their investigations, much remains unknown.  But it brings me back to the subject I was going to write about, the penalties of a data breach.


The Data Protection Act 2018, based as it very much is on GDPR, is a very different beast from its predecessor.  The ICO now has powers to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing.  Such penalties are intended to be effective and proportionate, rather than punitive, and are judged on a case-by-case basis.

These penalties come in two flavours, firstly the higher maximum amount, which is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Ouch!


Then there is the standard maximum, which applies If there are infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Still Ouch!


In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.


It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches, as well as regulate the rules of reacting already in the situation of a suspected incident. The next step will be to create a procedure in case a data breach is confirmed.


Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 


In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?


It is also vital to cooperate with the ICO.  First thing, if you think you’ve had a breach, don’t try and cover it up, but get on the phone to the ICO help line and get some advice from them.  They are helpful, and will guide you along the way.  They even have an electronic form on their website which you can use to report breaches, which has all the subject headings for the information that you will need to provide.


It is often the sorts of SMEs and small organisations who see data protection as a one-off box-ticking exercise are the sorts of organisations that often come unstuck. Far too often we come across SMEs who have downloaded some policies from the internet, without actually understanding them, top and tail them and think that’ll do.  Wrong.


Taking responsibility for the personal data you collect, store and use will help you to avoid a fine.


Since 1 January 2022, the ICO has issued 25 penalty notices to a wide variety of companies.  They include £48K for a finance company, and £98K for a solicitors office.  How do you think your company could cope with fines like that?


You can’t wait for something to go wrong before you take action.  You need to demonstrate up front that you are taking compliance seriously or you could find yourself on the end of a punitive punishment that might cause your growth plans to stutter to a halt, or perhaps a fine at a level that you cannot survive.