Principles, GDPR and Failure to Comply

The UK’s Data Protection Act 2018, which incorporates the European Union’s General Data Protection Regulation (GDPR) has been a major step forward for both the rights of individuals and obligations of organisations handling personal data. What is the Punishment for Breaking the Data Protection Act? Read on to find out.

Updating the original DPA from twenty years prior, this modernised piece of legislation sought to elevate data protection standards, ensuring rights and enforcing obligations at a pivotal point in time when personal information has become a greatly sought-after commodity for both legitimate businesses and international criminal enterprises.

Like it’s preceding legislation, under both the DPA 2018 and GDPR, contravention can result in substantial fines being levied against offending organisations. Depending on the severity of the breach in question, fines may be applied in a tiered approach, with authorities considering the circumstances that led to a breach, response to an incident and the overall impact.

Given the publicity regarding these current substantial fines, organisations are justified in asking; what is the punishment for breaking the Data Protection Act and what exactly does the DPA mean for my business?

What is Data Protection?

The DPA fulfils the role of governing how your personal information is used by businesses and other organisations. Ensuring that personal data is used fairly and lawfully, is accurate and up to date, and is used only for explicitly stated purposes and is handled in an appropriately secure manner. Incorporating the European wide GDPR, the DPA ensures a greater level of protection for the digital and data rights of citizens.

Regarding the GDPR, all the requirements laid forth are incumbent upon not only EU based organisations, but also those which collect any information within any EU territories. For example, though Facebook is an American company, data collected on European citizens should be as carefully managed by Facebook as any German company.

Personal Data

For the purposes of the GDPR, personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Breaking the Data Protection Act – Case Study

Doorstep Dispensaree Ltd Fined £275,000

In late 2019, the Information Commissioner’s Office announced a fine levied against a London-based pharmacy. The penalty came as a result of the pharmacy’s failure to ensure the security of special category data, which was kept in unlocked containers at the back of its premises.

Around 500,000 documents containing medical information and other sensitive information were found unprotected not only from prying eyes but also from the elements, with many files discovered to be rain damaged.  This negligence resulted in the pharmacy being issued a £275,000 fine as well as being ordered to improve its data protection processes within three months or face further consequences.

In the Event of a Breach

As well as asking, what is the punishment for breaking the Data protection Act, it’s worth understand a little bit about what constitutes a breach. It’s vital to understand that a ‘data breach’ doesn’t just refer to a ‘stolen data’ incident, and legally encompasses a variety of incidents. Defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

For example, the loss of a strongly encrypted USB drive containing personal data, may not necessarily qualify as a breach, whereas that same drive without any encryption, if lost, would qualify as an incident in violation of the DPA.

Should you and your organisation be unfortunate enough to fall victim to an information security attack and the personal information with which you work being affected, then under law there are specific responsibilities with which you must comply.

  • In the event of a personal data breach, an organisation is required to report said breach to the relevant supervisory authority within 72 hours of becoming known (where feasible).
  • It is also important to bear in mind that if the breach is likely to result in adverse effects upon the rights and freedoms of data subjects, then those individuals must be informed “without undue delay.”
  • You must also ensure you have “robust breach detection, investigation and internal reporting procedures in place.”

Failure to report such an incident may have a range of effects on individuals including discrimination, damage to reputation, financial loss, social or economic disadvantages.

Any incident must also be assessed on a case by case basis and organisations are required to give reasonable justification for their decision to either report (or not report) a breach to the supervisory authority, which in the UK is the Information Commissioner.

Organisations are also required to keep a record of any personal data breaches, regardless of whether you are required to or decide to notify authorities. 

Fines

The Information Commissioner has the power to issue fines for infringing on data protection law, including the failure to report a breach. The specific failure to notify can result in a fine of up to 10 million Euros or 2% of an organisation’s global turnover, referred to as the ‘standard maximum’.

The most serious of data protection violations can result in a maximum fine of 20 million Euros (equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Organisations wishing to avoid these fines should also be aware that this ‘higher maximum’ amount can apply to failure to comply with “any of the data protection principles, any rights an individual may have or in relation to any transfers of data to third countries.”

Breaking the Data Protection Act – Case Study

Facebook/Cambridge Analytica Scandal

The data protection violation, which occurred in 2015, resulted in the maximum possible fine of £500,000. Becoming public in early 2018, if the improper protections Facebook implemented for user data had happened following the introduction of the GDPR, then the fine levied by the ICO could have been 4% of Facebook’s 2018 global revenue; around £1.7 billion.

Deputy Commissioner of the ICO, James Dipple-Johnstone noted regarding the fine, “Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals…we expect that Facebook will be able to move forward and learn from the events of this case”.

The Principles of the DPA

How Has DPA Changed?

Under the UK’s Data Protection Act 1998, eight data protection principles existed at the centre of the legislation. By 2018 these principles were developed and advanced further by the European Union’s GDPR and made a part of UK law within the DPA 2018.

With a great deal of cross-over between the DPA 1998 and 2018, many of the now seven principles of data protection are only slight augmentations of the previous laws. Below we can see how these existing seven principles of data protection have been incorporated and developed by the GDPR.

 1998 Act GDPR 
 Principle 1 – fair and lawful Principle (a) – lawfulness, fairness and transparency 
 Principle 2 – purposes Principle (b) – purpose limitation 
 Principle 3 – adequacy Principle (c) – data minimisation 
 Principle 4 – accuracy Principle (d) – accuracy 
 Principle 5 – retention Principle (e) – storage limitation 
 Principle 6 – rights No principle – separate provisions in Chapter III 
 Principle 7 – security Principle (f) – integrity and confidentiality 
 Principle 8 – international transfers No principle – separate provisions in Chapter V 
 (no equivalent) Accountability principle

What is the Punishment for Breaking the Data Protection Act? All organisations operating under either the DPA 2018 or the GDPR should familiarise themselves with information provided directly by the Information Commissioner’s Office regarding fines and penalties. With a great deal of information pertaining to the question of ‘what is the punishment for breaking the Data Protection Act?’ the ICO provides an invaluable resource.