If you were wondering any of the following about the new data protection regime:
Why bother with the GDPR?
Does the ICO (Information Commissioner’s Office) ‘have teeth’?
The ICO wouldn’t go for small businesses, would they?
They don’t have the same expectations of individuals, do they?
Surely, they’d never fine a charity?
What about a low-paid employee?
Councils and police forces must be ‘ship shape’ already, right?
…the following examples of the enforcement action taken under the relatively more ‘lenient’ scheme that’s been in place up to now might change your thinking!
A county council left files that included sensitive information about children in a cabinet sent to a second hand shop.
A senior barrister failed to keep clients’ sensitive personal information secure by failing to encrypt e-files and ensuring that her family had no access to them.
A micro company suffered a cyber attack. It failed to take basic steps to stop its website being attacked.
A police force was fined £150,000 after three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post.
A charity secretly screened millions of their donors so they could target them for more money.
Criminal prosecution/ £232 fine/ £150 costs/ £30 victim surcharge:
A former medic was fined for accessing a patient and her neighbour’s medical records without a valid legal reason. She unlawfully accessed the records of a patient who was also her neighbour. She was fined £232 and was ordered to pay £150 costs and a victim surcharge of £30.
A company did not have the consent of the 4.4m people it sent marketing texts to.
A property renovations company made more than 109,000 calls to people registered with the Telephone Preference Service.
An airline deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm.
Criminal prosecution/ £170 fine/ £60 costs/ £30 victim surcharge:
The defendant, who at the time worked at a recruitment agency, emailed the personal data of approximately hundreds of candidates to his personal email address as he was leaving to start a new rival recruitment company. The data included contact details, candidate files, consisting of identification and qualification documents, references, DBS checks, as well as a large number of CVs. He took the data to use as potential clients for his new business.
A price comparison website sent millions of emails to customers who had made it clear they didn’t want to be contacted in that way.
A national supermarket chain was fined for breaking the law on how people’s personal information should be treated when sending marketing emails. It deliberately sent 130,671 emails to people who had previously opted out of receiving marketing related to their loyalty card. The emails were titled ‘Your Account Details’ and invited customers to change their marketing preferences to start receiving money off coupons, extra points and the ‘latest news’ from the supermarket chain.
A small company was fined £80,000 after they failed to ensure automated text messages were sent to individuals who had consented to receive marketing.
A Council failed to keep up to 89,000 people’s information secure on its parking ticket system website. A system designed to allow people to see a CCTV image or video of their alleged parking offence. It was found to have design faults meaning the personal data of up to 89,000 people was at risk of being accessed by others. That data included a small amount of sensitive personal information such as medical details relating to appeals. It was discovered that there had been unauthorised access to 119 documents on the system 235 times from 36 unique IP addresses, affecting 71 people. The ICO found that the council should have tested the system both prior to going live and regularly after that.
A large PLC failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters. It allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees. The company started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and company account numbers. The investigation found the issue lay with a portal through which customer information could be accessed. One of the companies with access to the portal was a multinational IT services company based abroad that resolved high-level complaints and addressed problems on the company’s behalf.
"Figuring out what you actually need to do is the first step..."
The whole concept of GDPR might seem overwhelming, but, figuring out what you actually need to do is the first step. Our future blogs, videos and podcasts from us will guide you on this, but, the general principle is, find out what actions you need to take now so that you can plan a flightpath for being GDPR-ready by 25th May.
To find out more about how Greycoat Law can help you to become GDPR-complaint, give us a call on 0191 500 9762 (Newcastle) or 020 8989 9111 (London).
Note that this article provides general information only. It is not intended to provide specific legal advice for any individual case. If you want tailored legal guidance on your situation, you should contact a specialist lawyer. The law, as we've described it, is correct - according to the laws of England and Wales - as at the date this article was first published.
#lawyer #business #Solicitor #Counsel #Barrister #barrister #Greycoat #data #protection #GDPR #Information #Commissioners #Office #ICO #compliance #confidentiality #risk #register #law #Lawyer #Parasram #lawyerbusinesssolicitorCounselbarristerG #information #commissioner #office #fine #penalty #prosecution #costs #victim #surcharge #charity #company #small #individual #employee