Large data protection breaches and fines grab headlines. For example, Amazon revealed that they have been fined €746million (although the details of exactly what this relates to haven’t been revealed) and there is also news of a breach experienced by T-Mobile affecting 40 million customers.

Of course, no-one wants to have a data breach, must less have to ‘fess up to the regulator’, but we thought we would share our experience of dealing with the ICO on data breaches – none of which resulted in a fine!

If you experience a breach, we can help you assess it quickly – see here.

Our experience as DPO

We acted as Data Protection Officer (“DPO”) for an energy provider with a large consumer database of over half a million customers and over 200 employees. Our client had a comprehensive data protection programme in place but given the large amount of personal data it was inevitable that a data breach would occur from time to time.

The most common type of breach we saw was caused by human error that led to small breaches involving data relating to one customer i.e. sending an email which included a limited amount of personal data to the wrong recipient.

Every breach needs to be assessed and documented but not every breach needs to be notified to the ICO. Breaches are only notifiable if it is likely to result in risk to the individual – in which case you need to report to the ICO within 72 hours of becoming aware. So a breach involving one individual could still be reportable, but all factors are relevant to assessing the impact – e.g. amount of data breached, who has accessed/ may have accessed the data etc.

There were a couple of instances where we felt the threshold for notifying was met and so liaised with the ICO on the matter. On these occasions the outcome was simply a number of recommendations from the ICO – no fine or other sanction! The ICO has said itself “Modern regulation uses a wide range of tools. Fines and penalties are always a last resort.”

Moral of the story

No data protection programme is completely fail proof but you shouldn’t fear the worst or stick your head in the sand!

We do not doubt that the ICO took into account a number of factors when deciding not to impose a fine, not just the actual circumstances of the breach. So to help your situation we advise:

  • Understand the data flows within your business – see Bloody Data Protection! Where do I start?
  • Have a data protection programme in place to try to minimise the data protection risks within your business (we will be covering this in more detail in a separate blog)
  • Have a breach process embedded in your business which allows you to react quickly – the ICO doesn’t care if you’re busy or it’s a Friday afternoon!
  • Be honest – the ICO accepts that breaches can occur. But also remember that not every breach needs to be reported

If you experience a breach, we can help you assess it quickly – see here.

If you have any questions about data breaches, please contact Alison on 01202 729444 or e-mail alison@law-point.co.uk.