Should smaller companies worry about data protection breaches?
With data breach complaints up 160% in the UK should smaller businesses and private companies be worried about big bad GDPR? We have analysed the landscape for smaller businesses as summarised below. The result is that smaller businesses are just as vulnerable as the big giants. There are no exemptions for being small.
We look at:
The emerging pattern of fines for data protection mess ups
GDPR has direct effect across all EU member states and all businesses of any size will continue to be bound by its principles and obligations. Post Brexit the rules will continue under domestic legislation so there is no escape.
So what has changed this year? There are two key developments.
- Data subject rights have proliferated and a full spectrum of reporting obligations introduced.
- There are new monetary penalties, leaving organisations in serious breach with potential fines of the higher of 20 million Euros or 4% of annual global turnover.
Not to be overlooked is the aggravation and bad publicity which arises under the process.
Recent private company failures involving the ICO
With data breach complaints estimated to have increased by 160% since the GDPR came into force in May 2018, what guidance can businesses take from pre-GDPR fines by the ICO?
£500,000 fine of Facebook
Everyone will know about Facebook’s fall from grace. But Cambridge Analytica’s British privately-owned parent company SCL Elections Ltd has now been forced into administration as a result of data breaches. It is also facing criminal prosecution for failing to deal with a previous ICO Enforcement Notice, served for the company’s inadequate response to a user’s subject access request.
Importantly, the ICO now has much greater investigatory powers to look into what is really happening behind closed doors. So data breaches not only signal monetary fines but also trigger wider investigation into a company’s operations.
£100,000 fine of The Bible Society
The charitable organisation with a turnover of approximately half a million stored personal data on an insufficiently secure internal network, which was deemed by the ICO to grant inappropriate remote access rights and was accessible via an ‘easy-to-guess’ password.
The Bible Society is not the only charity with hefty fines for data breaches, with the RSPCA fined £25,000 and the British Heart Foundation fined £18,000.
No charity or company, whatever their cause and no matter how big or small their turnover, is exempt from sanction for data breaches.
£120,000 fine of Lifecycle Marketing (Mother and Baby) Ltd
The ICO found the privately owned data broker company, also known as Emma’s Diary, illegally collected and sold personal information belonging to more than one million people specifically for political campaign use by the Labour Party.
Access seems to be a recurring issue, not only for large companies with lots of employees such as Yahoo! but equally for smaller companies that contract work out to freelancers. Data security and compliance is not just a problem for large companies – it cannot be ignored by SMEs and self-employed freelancers.
Emerging targets for ICO fines
With such a potentially lucrative path of fines for the ICO to pursue they are on the look out for breaches aided by staff and members of the public not shy in tipping off the ICO.
We see the following areas as ripe for target by the ICO:
The ICO have increasingly made these a target. The ICO fined AMS Marketing Ltd, a private company with turnover of only a few thousand pounds, £100,000 for making over 75,000 nuisance calls to people who had opted out of receiving marketing communications. The fine means the company has now ceased to trade.
The ICO is sending a clear message with its latest campaign: consumers are much more likely to complain about unwanted contact and businesses involved in mass marketing are likely to be a target for data breach investigation.
Databases are a new area for risk
If you have inherited a customer database as part of a business sale or you have bought a client list or even combined your contacts as part of a merger or joint venture, you need to check what consents have been obtained before you can legally use it. Otherwise you risk committing data protection breaches.
With complaints on the rise even against smaller companies, cutting corners is a false economy.
Not responding appropriately to a hack
Uber, the ride-hailing app was fined by the ICO for failing to protect personal information during a cyber attack. Drivers were not informed for over a year that up to 82,000 records in the UK, including details of pay, were ransomed by hackers. Uber paid the hackers to destroy the data. The ICO were clear that this was not an appropriate response to a data breach.
Going forward, the ICO will be focusing not only on how you safeguard against data theft but whether you respond appropriately to data breaches.
Vicarious liability for criminal breaches by employees
Vicarious liability means that the employer and/or its directors are liable for the acts of its employees even if the employer knew nothing about the wrongful act and was not complicit in any way.
The Court of Appeal held Morrisons the supermarket liable for a serious data breach caused by a former employee, who copied nearly 100,000 employees’ data onto a personal USB stick and later posted it to a file sharing website. Companies with a larger number of employees, contractors, freelancers or multiple sites need to be particularly careful – do you know what is being accessed?
Under UK law there is the potential for both the company and its directors to be held accountable for data breaches. This is in addition to the offending employee. In the Morrisons case the employee went to prison.