back to article Last year's ICO fines would be 79 times higher under GDPR

Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied, according to analysis by NCC Group. The 2015 penalties would also have risen drastically from £1m to £35m under the same …

  1. Gordon Pryra

    Pharmacy2U's fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.

    They gave access to users information to some else.

    Why should they NOT go out of business?

    1. graeme leggett

      Big fines make a good argument to all businesses that - faced with fines as large as these - it's worth taking on an employee or two in order to make sure that nothing like that happened thereby putting the whole business as risk.

      And should a firm be reckless to ignore legislation of which it should be aware (Director's responsibilities etc.) then perhaps it does deserve to fail. Same as if it ignored fire safety legislation and it's warehouse burned to the ground.

      Or in short form "pour encourager les autres"

    2. Tom Paine Silver badge

      Even worse

      ...healthcare data, and as it's likely that people buy stuff online because they're too embarrassed to ask their GPs about it, you can guess the sort of conditions that would be disclosed.

      GDPR recognises that the disclosure of different types of PII have different levels of significance to the data subject. Especially personal and private healthcare information's likely to be in the very highest category, along with personal finances (and maybe your primary email account) in terms of the impact to people's lives, so the fines and enforcement / compliance notices should be appropriately savage for anyone who wilfully plays fast and loose.

    3. Aitor 1 Silver badge

      umbrella corp/

      So the trick is to have an offshore company being the one that takes the legal risk and another that gets the money and owns the brands and trademarks, but not the business, so in case all goes shouth, time to open a new company...

  2. GlenP Silver badge

    Not quite fake news but...

    It's not that the fines would have been £69m but could have been.

    The ICO rarely (if ever) applies the maximum fine now, GDPR only specifies higher maximum penalties.

    NCC have been very disingenuous using maximums and applying those to existing non-maximum penalties.

    1. VinceH Silver badge

      Re: Not quite fake news but...

      Exactly what I hit the comments button to say. These are "maximum" amounts that the fines could be "up to" - and it's dependent upon whether or not our toothless tiger decides to fine companies that much.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not quite fake news but...

        and it's dependent upon whether or not our toothless tiger decides to fine companies that much

        There is a well established principle for UK regulators to have an indicative value of the fine, usually based upon the deemed "harm to consumers", and then apply tests against mitigating and aggravating circumstances. In practical terms this will revolve around the assumed value of harm of what was done. So failing to protect data, without a material (known) leakage of data wouldn't be as serious as losing data. Losing data depends on the volume, exactly what data was lost, and over what time period. Aggravating circumstances would include evidence of failure to put in place proper security controls and testing, lack of patching, failure to notify the regulator and customers promptly.

        Of course, the big companies will try and drive a horse and cart through the implementation of both GDPR and any UK legislation, not merely by challenging the letter of the law, but challenging the assumed value of harm, and then asking for every (pretend) mitigation allowed. I've seen this in the energy sector. E.ON got fined £7.7m for failing to install 7,000 business smart meters, they admitted their guilt up front, didn't try for mitigation other than the admission, so that was a fine of about £1,100 per meter not fitted. British Gas failed the same deadline to the tune of 10,000 meters, but only got fined £4.5m, so £450 per meter not fitted. That was because they played a good defensive game, used good advisors to make their defensive case, and were able to apply all the mitigating circumstances they possibly could.

        There's another reason current data protection fines are so low - because Google, Facebook et al made sure the maximum fine was immaterial to them, even if it could really sting an SME or a cash strapped health trust. In the same way that the newly raised "income related" speed fines are up to 150% of weekly income up to a maximum of £1,000 - meaning that for footballers, company directors, MPs with multiple jobs, the impact will be far less than for (say) a mid grade employee on £35-45k. All such top limits are about abandoning the principle to favour a rich vested interest, and I'm sure we'll see this continue.

    2. Tom Paine Silver badge

      Re: Not quite fake news but...

      It's not that the fines would have been £69m but could have been.

      I'll see you, and raise you SHOULD.

  3. Voland's right hand Silver badge

    Nuke'em till they glow

    4%? How about the same as for competition violation - 10% of Global turnover and criminal responsibility for the director, CIO and the entire board. That would be more appropriate.

  4. Neil Barnes Silver badge

    The problem is...

    that a massive fine that potentially kills the business both puts a lot of people out of work, and removes a service that presumably a lot of people are using. It might not be the best service there is, but it's the one they've got.

    What they should be doing is making the directors responsible and fining/jailing *them*.

  5. dephormation.org.uk
    FAIL

    Excuse me if I'm not cheering...

    That would mean BT's fine for covertly using Phorm would be 79x nothing at all.

    See, unfortunately, the ICO staff still get to choose which bunch of criminals get fined, and which don't.

    And the ICO staff "are not technical experts", we are only "theory customers", and Phorm was only "a small trial [on thousands of people and thousands of businesses that served them over three years by a bunch of foreign spyware developers]".

  6. Commswonk Silver badge

    Yes, but...

    From the article: Although the UK is leaving the European Union, compliance with the GDPR will still be mandatory for British firms that handle EU citizens' data.

    All well and good, but will the GDPR be mandatory if the British firms are only handling UK citizens data? After all at that point British citizens will not be EU citizens. And will adherence to the GDPR apply just to data held on EU citizens with British citizens not enjoying the same protection or will it apply to both groups?

    I can easily imagine companies that mishandle UK citizens data trying to wriggle out of any liability under the GDPR if they possibly can.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yes, but...

      Also they will simply spin up a shell holding company for the EU.

      1. Tom Paine Silver badge

        Re: Yes, but...

        That won't work. GDPR requirements are transitive - you don't offload them to a third party by outsourcing over even using complicated corporate structures, you just add the job of auditing that third party's security posture to your to-do list.

        1. Doc Sheldon

          Re: Yes, but...

          True. AND... the supervising authority can easily find both controller and processor equally guilty. Can't pass the buck...

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes, but...

      GDPR applies *organisation-wide* requirements to any organisation that either handles data within the EU or handles data from an EU citizen regardless of where that citizen is. Penalties are applied against the ultimate global entity.

      It's impossible to wriggle out of and effectively applies worldwide. This is a good thing. American companies have practically no idea GDPR exists and they're in for a shock.

      The requirements are organisation-wide because the main changes under GDPR are organisational. It's no long just about "protecting" information, but continually assessing the privacy impact of business operations, designing privacy and security in from the start of a project and and capturing evidence of their implementation to best practises. So it doesn't actually matter to whom the data belongs - if the system design is inadequate you're in breach of the GDPR regardless of whether a breach occurs.

      1. Smooth Newt Silver badge
        Stop

        Re: Yes, but...

        GDPR applies *organisation-wide* requirements to any organisation that either handles data within the EU or handles data from an EU citizen regardless of where that citizen is. Penalties are applied against the ultimate global entity.

        But presumably not subsidiaries etc, which is how companies will handle this. They will move their data processing activities to a separate subsidiary, or some other wheeze, and say "nothing to do with us Guv, fine this completely separate company that was doing all our data processing. The one without any assets."

        1. Anonymous Coward
          Anonymous Coward

          Re: Yes, but...

          But presumably with all the data? Fair enough, fine them, bankrupt them, seize all their servers and backups and wipe them and flog them off.

        2. Anonymous Coward
          Anonymous Coward

          Re: Yes, but...

          "They will move their data processing activities to a separate subsidiary"

          The fines are applied to the ultimate parent entity. Shift it through as many layers of subsidiaries as you like - it's the parent company that will take the hit.

          1. Smooth Newt Silver badge
            Stop

            Re: Yes, but...

            The fines are applied to the ultimate parent entity. Shift it through as many layers of subsidiaries as you like - it's the parent company that will take the hit.

            That is way too simplistic. Company structures often separate ownership from control, since liability follows ownership, as you have suggested here, when it is control that often counts.

            As a simplistic example, what if the "subsidiary" doesn't have any direct connection to its actual "parent", but is an independent entity whose sole relationship is that it shares a few of the directors and its operation is funded by a contract to supply services with the "parent"? The shareholders can be a trust with some random beneficiaries since it is never going to receive any profits from the "subsidiary" because there aren't going to any.

            For a real life example see http://www.taxresearch.org.uk/Blog/2007/09/17/northern-rock-the-questions-needing-answers/

    3. Test Man

      Re: Yes, but...

      "All well and good, but will the GDPR be mandatory if the British firms are only handling UK citizens data?"

      No British business are going to have only UK citizen data in their systems - EU citizens live here in the UK too and they inevitably will be in the system post-Brexit

      1. katrinab Silver badge

        Re: Yes, but...

        Particularly in Northern Ireland, where anyone born there is entitled to Irish citizenship and is therefore an EU citizen.

    4. Doc Sheldon

      Re: Yes, but...

      Since GDPR specifically prohibits any sort of automated geolocation, it would be exceedingly difficult for any enterprise to afford different treatment to UK citizens than it does for those of the EU. I suspect that may have been the hope when they passed GDPR.

  7. Awil Onmearse

    Judas Priest FTFY

    "there will be significant commercial impacts for organisations that fall foul of the regulations."

    .. That break the law.

    1. Voland's right hand Silver badge

      Re: Judas Priest FTFY

      Yeah, I can just see the ICO Screaming For Vengeance if you are Breaking The Law regardless if this has something to do with British Steel or it is something Unleashed in the East to the British Isles.

  8. chivo243 Silver badge
    Coat

    Communist Plot

    By the governments to acquire all businesses and services. No company can be fully compliant? Can they?

    My coat with a copy of The Prince in the pocket...

  9. Test Man

    I think this article misses out the fact that GDPR WILL impact all businesses in the UK, because it's coming in May 2018 when we're still in the EU. Brexit is only happening a year later, in 2019, although again it'll still apply because UK businesses will likely be holding data on EU citizens.

    1. Voland's right hand Silver badge

      If they are allowed to.

      UK businesses will likely be holding data on EU citizens

      Once the UK is outside the Eu, it is not a question of if, it is a question of when May surveillance and police state policies will bite. Once that happens it can kiss the status of an allowed destination for data exchange good bye.

  10. Glennda37

    Fines at this scale are needed

    Fines at that level are needed as otherwise it is cheaper to take the fine over actually paying for properly designed security

  11. Nick Leaton

    The NHS gives anonomised data to the ONS, including NHS number

    The ONS gets NHS numbers and names and address from the GRO. This is stored in the RON database.

    They can now see your personal medical records.

    1. Anonymous Coward
      Anonymous Coward

      How can they see medical records? I suspect you're fear-mongering.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019