Data privacy in the UK has hardly been a quiet topic in recent months, but there have been two news stories from the last few weeks of particular note. They are each remarkable individually. Put side by side, they show a trend that is more thought-provoking than the sum of their parts.
It was announced in late September that Equifax was to be fined £500,000 by the UK ICO after hackers stole 15 million UK citizens’ various personal details and records last year. The vulnerability occurred because security patches were negligently overlooked by Equifax’s IT team. Even more galling is that only a couple of months previous, the business was warned by US Homeland Security that their infrastructure was not secure.
The £500,000 fine is the heftiest sum that the ICO could impose under the pre-GDPR Data Protection Act 1998. And to think that this is the same ICO that only a few years ago was frequently criticised for being unwilling to impose serious fines for data breaches. Even after 2010, when it was first empowered to issue financial penalties, it rarely “went big”. In those first five years, it only levied £7m of fines.
Largely, and perhaps in fact admirably, this was due to a policy of preferring support and collaborative remediation over fines. After all, many feared that fines would be considered by the largest businesses – and the ones that could do the most damage to the public’s privacy – as an acceptable risk of doing business, leaving illicit or unethical processes unchanged. Proactively helping businesses to respect subjects’ privacy without damaging their own productivity, and without threats, was seen by the ICO as the better way to deliver on its core goal – effecting real change amongst UK businesses.
This ethos was regularly reported as set to continue after the introduction of GDPR. Before its arrival, the ICO took great pains to push a strong message that the GDPR was a catalyst for them to work even harder to protect UK citizens’ data by ensuring businesses were using personal data legitimately – and not that it was a weapon to be brandished. Unless in the most serious circumstances.
This exception was reiterated by Emma Martins, the Data Protection Commissioner for Guernsey, when she exhibited the exact same mentality in our GDPR Interview Series, published before the GDPR May date. In it, she was quoted as saying:
“The vast majority of processors and controllers want to do the right thing, so if we help them do so, we will all benefit. Having said that, we are going to be ready to implement the legislation if and when we need to. We of course should be seen to correctly address the serious breaches and that is certainly what we will do where necessary and appropriate.”
And so we come to the formal notice from the ICO to AggregateIQ, issued the day after the Equifax penalty was reported.
Both organisations committed their key transgressions before May 2018. But while Equifax’s errors were confined to a point in time in 2017, AggregateIQ not only profiled and targeted voters on behalf of Vote Leave during the Brexit referendum campaign in 2016, it then continued to process the data after May this year. This brought the case under the GDPR, and its far heavier penalties. AggregateIQ is appealing the notice, but the industry speculation is that the largest possible fine of E20m (or 4% of global turnover) is being considered.
In years gone by, the ICO was considered relatively benign. For some, even the two-pronged message of preferring to support rather than fine, unless forced to, was considered an opportunity to shirk difficult decisions. The cases deemed serious enough for headline-grabbing fines would be few and far between, and so the GDPR would remain little to worry about.
That no longer rings true. The Equifax incident has shown the ICO’s appetite, courage and determination to impose punitive measures. AggregateIQ will doubtless reinforce this. It is irrelevant whether the ICO is driven by its mission or by public pressure (and I personally think it is the former) – the net effect is that businesses will have to re-examine the legitimacy and ethics of their processing of UK citizens’ personal data.
The GDPR is only a law. It requires a body to enforce it, and the ICO is clearly up to the challenge.