Pharmacy2U's fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.
They gave access to users information to some else.
Why should they NOT go out of business?
Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied, according to analysis by NCC Group. The 2015 penalties would also have risen drastically from £1m to £35m under the same …
Big fines make a good argument to all businesses that - faced with fines as large as these - it's worth taking on an employee or two in order to make sure that nothing like that happened thereby putting the whole business as risk.
And should a firm be reckless to ignore legislation of which it should be aware (Director's responsibilities etc.) then perhaps it does deserve to fail. Same as if it ignored fire safety legislation and it's warehouse burned to the ground.
Or in short form "pour encourager les autres"
...healthcare data, and as it's likely that people buy stuff online because they're too embarrassed to ask their GPs about it, you can guess the sort of conditions that would be disclosed.
GDPR recognises that the disclosure of different types of PII have different levels of significance to the data subject. Especially personal and private healthcare information's likely to be in the very highest category, along with personal finances (and maybe your primary email account) in terms of the impact to people's lives, so the fines and enforcement / compliance notices should be appropriately savage for anyone who wilfully plays fast and loose.
It's not that the fines would have been £69m but could have been.
The ICO rarely (if ever) applies the maximum fine now, GDPR only specifies higher maximum penalties.
NCC have been very disingenuous using maximums and applying those to existing non-maximum penalties.
and it's dependent upon whether or not our toothless tiger decides to fine companies that much
There is a well established principle for UK regulators to have an indicative value of the fine, usually based upon the deemed "harm to consumers", and then apply tests against mitigating and aggravating circumstances. In practical terms this will revolve around the assumed value of harm of what was done. So failing to protect data, without a material (known) leakage of data wouldn't be as serious as losing data. Losing data depends on the volume, exactly what data was lost, and over what time period. Aggravating circumstances would include evidence of failure to put in place proper security controls and testing, lack of patching, failure to notify the regulator and customers promptly.
Of course, the big companies will try and drive a horse and cart through the implementation of both GDPR and any UK legislation, not merely by challenging the letter of the law, but challenging the assumed value of harm, and then asking for every (pretend) mitigation allowed. I've seen this in the energy sector. E.ON got fined £7.7m for failing to install 7,000 business smart meters, they admitted their guilt up front, didn't try for mitigation other than the admission, so that was a fine of about £1,100 per meter not fitted. British Gas failed the same deadline to the tune of 10,000 meters, but only got fined £4.5m, so £450 per meter not fitted. That was because they played a good defensive game, used good advisors to make their defensive case, and were able to apply all the mitigating circumstances they possibly could.
There's another reason current data protection fines are so low - because Google, Facebook et al made sure the maximum fine was immaterial to them, even if it could really sting an SME or a cash strapped health trust. In the same way that the newly raised "income related" speed fines are up to 150% of weekly income up to a maximum of £1,000 - meaning that for footballers, company directors, MPs with multiple jobs, the impact will be far less than for (say) a mid grade employee on £35-45k. All such top limits are about abandoning the principle to favour a rich vested interest, and I'm sure we'll see this continue.
that a massive fine that potentially kills the business both puts a lot of people out of work, and removes a service that presumably a lot of people are using. It might not be the best service there is, but it's the one they've got.
What they should be doing is making the directors responsible and fining/jailing *them*.
That would mean BT's fine for covertly using Phorm would be 79x nothing at all.
See, unfortunately, the ICO staff still get to choose which bunch of criminals get fined, and which don't.
And the ICO staff "are not technical experts", we are only "theory customers", and Phorm was only "a small trial [on thousands of people and thousands of businesses that served them over three years by a bunch of foreign spyware developers]".
From the article: Although the UK is leaving the European Union, compliance with the GDPR will still be mandatory for British firms that handle EU citizens' data.
All well and good, but will the GDPR be mandatory if the British firms are only handling UK citizens data? After all at that point British citizens will not be EU citizens. And will adherence to the GDPR apply just to data held on EU citizens with British citizens not enjoying the same protection or will it apply to both groups?
I can easily imagine companies that mishandle UK citizens data trying to wriggle out of any liability under the GDPR if they possibly can.
GDPR applies *organisation-wide* requirements to any organisation that either handles data within the EU or handles data from an EU citizen regardless of where that citizen is. Penalties are applied against the ultimate global entity.
It's impossible to wriggle out of and effectively applies worldwide. This is a good thing. American companies have practically no idea GDPR exists and they're in for a shock.
The requirements are organisation-wide because the main changes under GDPR are organisational. It's no long just about "protecting" information, but continually assessing the privacy impact of business operations, designing privacy and security in from the start of a project and and capturing evidence of their implementation to best practises. So it doesn't actually matter to whom the data belongs - if the system design is inadequate you're in breach of the GDPR regardless of whether a breach occurs.
GDPR applies *organisation-wide* requirements to any organisation that either handles data within the EU or handles data from an EU citizen regardless of where that citizen is. Penalties are applied against the ultimate global entity.
But presumably not subsidiaries etc, which is how companies will handle this. They will move their data processing activities to a separate subsidiary, or some other wheeze, and say "nothing to do with us Guv, fine this completely separate company that was doing all our data processing. The one without any assets."
The fines are applied to the ultimate parent entity. Shift it through as many layers of subsidiaries as you like - it's the parent company that will take the hit.
That is way too simplistic. Company structures often separate ownership from control, since liability follows ownership, as you have suggested here, when it is control that often counts.
As a simplistic example, what if the "subsidiary" doesn't have any direct connection to its actual "parent", but is an independent entity whose sole relationship is that it shares a few of the directors and its operation is funded by a contract to supply services with the "parent"? The shareholders can be a trust with some random beneficiaries since it is never going to receive any profits from the "subsidiary" because there aren't going to any.
For a real life example see http://www.taxresearch.org.uk/Blog/2007/09/17/northern-rock-the-questions-needing-answers/
"All well and good, but will the GDPR be mandatory if the British firms are only handling UK citizens data?"
No British business are going to have only UK citizen data in their systems - EU citizens live here in the UK too and they inevitably will be in the system post-Brexit
I think this article misses out the fact that GDPR WILL impact all businesses in the UK, because it's coming in May 2018 when we're still in the EU. Brexit is only happening a year later, in 2019, although again it'll still apply because UK businesses will likely be holding data on EU citizens.
UK businesses will likely be holding data on EU citizens
Once the UK is outside the Eu, it is not a question of if, it is a question of when May surveillance and police state policies will bite. Once that happens it can kiss the status of an allowed destination for data exchange good bye.