Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

We have witnessed a number of large breaches of personal data over the past couple of days, from the hacking of the Electoral Commission involving UK voters’ personal data being exposed, to thousands of Police Service of Northern Ireland officers and civilian staff also having their personal data compromised.

Another fairly recent data breach was that of Capita, the outsourcing giant used by many public and private organisations and handling the personal data of millions of people. Capita suffered a cyber-attack in May this year, which resulted in a number of pension funds being hit. Personal data was accessed and possibly copied by the hackers. Hundreds of thousands of people may be affected. It later emerged that Capita had left a repository of files unsecured online.

What is a personal data breach?

A personal data breach under the UK GDPR is defined as “a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Individuals are entitled to go to court to enforce their rights under data protection law if they believe these have been breached, and/or to claim compensation for any damage caused, including any distress that may have been suffered. Capita is now facing a class action lawsuit, estimated to be around £20 million.

What are the repercussions for organisations dealing with data breaches?

Organisations breaching data protection law are not only liable from the data subjects’ side, but also from the relevant data privacy watchdog. In the UK, this is the Information Commissioner’s Office (ICO). Infringements of data protection law carry hefty fines. The UK GDPR and the Data Protection Act 2018 set a maximum fine of the greater of £17.5 million, or 4% of an organisation’s annual global turnover.

In May this year, the ICO issued a £12,700,000 fine to TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully. The ICO also issued a fine with a combined total of £180,000 to two companies which made unlawful marketing calls to businesses signed up with the UK’s “Do not call” register. This demonstrates that the ICO takes data breaches seriously and holds organisations accountable for their actions.

Other notable fines in this area include Google’s sizeable GDPR fine of €50m (£43.2m) issued after a French regulator found that Google had failed to make its consumer data processing statements easily accessible to users, and H&M’s €35.3m (£32.1m) fine after German regulators found that H&M was secretly monitoring its employees.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years. This may not come as a surprise as the pandemic has accelerated the use of digital technologies. The increase in hybrid working has also faced organisations with limitations on data security at employees’ homes. Although the increased use of technology by organisations is a positive, clearly, it is not without risks.

What to do in the event of a data breach

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, there is a duty to notify the ICO of the breach within 72 hours of the organisation becoming aware of it. Employees should also ensure that they comply with their employers’ reporting procedures and policies on data breaches. For more information on an organisation’s obligation to report data breaches, listen to our podcast on data breaches.