For those working in Data Protection, there are many interesting things to note about the forthcoming General Data Protection Regulation. There is the clarification of consent, which may send tawdry marketers into a spin. There is the tightening of the rules over criminal records. There is the helpful emphasis on risk. My current favourite thing is a sly anti-establishment streak – here and there, the GDPR returns to the theme of the power imbalance between the data subject and the big public institution, and seeks to even up the score.
For some, however, there is only one thing to talk about. All that matters is the fines. Fines fines fines, all day long. A conference held in London last week was Fine City as far as the tweets were concerned. COMPANIES MIGHT GO BUST, apparently. Meanwhile, the Register breathlessly reheated a press release from cyber security outfit NCC Group, featuring a magical GDPR calculator that claims ICO’s 2016 penalties would have been either £59 million or £69 million under GDPR (the figure is different in the Register’s headline and story, and I can’t be bothered to find the original because it’s all bullshit).
This is my prediction. There will never be a maximum GDPR penalty in the UK. Nobody will ever be fined €20 million (however we calculate it in diminishing Brexit Pounds), or 4% of annual turnover. There will be a mild swelling in the amount of fines, but the dizzy heights so beloved of the phalanx of new GDPR experts (TRANSLATION: people in shiny suits who were in sales and IT in 2015) will never be scaled. It’s a nonsense myth from people with kit to sell. I have something to sell, friends, and I’m not going to sell it like this.
I have no quibble with DP officers and IG managers hurling a blood-curdling depiction of the penalties at senior management when they’re trying to get more / some resources to deal with the GDPR onslaught – I would have done it. There is probably a proper term for the mistake NCC made with their calculation, but I’m calling it the Forgetting The ICO Has To Do It Syndrome. NCC say Pharmacy2U’s penalty would inflate from £130,000 to £4.4 million, ignoring the fact that the decision would not be made by a robot. Pharmacy2U flogged the data of elderly and vulnerable people to dodgy health supplement merchants, and ICO *only* fined them £130,000, despite having a maximum of £500,000. Of course, some penalties have caused genuine pain for cash-strapped public authorities, but when NCC say that their adjusted-for-GDPR Pharmacy2U fine represented “a significant proportion of its revenues and potentially enough to put it out of business“, they’re not adjusting their hot air for reality.
Take the example of a monetary penalty issued by the ICO in March against a barrister. The barrister was involved in proceedings at the Family Court and the Court of Protection, so her files contained sensitive information about children and vulnerable adults. Despite guidance issued by the Law Society in 2013, they were stored unencrypted on her home computer. While upgrading the software on the machine, her husband backed up the files to online storage. Some of the files were indexed by search engines, and were subsequently found by a local authority lawyer.
The ICO fined the barrister £1000, reduced to £800 if they paid on time. I don’t think all barristers are loaded, but most could pay a penalty of £800 without going bankrupt. £800 isn’t remotely enough for a breach as basic and avoidable as this. The aggravating factors are everywhere – the Law Society guidance, the lack of encryption, the fact that the husband had access to the data. If the ICO was capable of issuing a £4.4 million penalty, they’d fine a barrister more than £800 for this mess. And what’s worse, they redacted the barrister’s name from the notice. The ICO offered no explanation for this, so I made an FOI request for the barrister’s name and for information about why the name was redacted.
They refused to give me the name, but disclosed internal correspondence about their decision to redact. There is a lot in the response to be concerned about. For one thing, in refusing to give me the name, the ICO contradicts its own penalty notice. The notice describes an ongoing contravention from 2013 (when the Law Society guidance was issued) to 2016 (when the data was discovered). Nevertheless, the FOI response states that “this data breach was considered a one off error“, and a reference to this characterisation is also made in the notes they disclosed to me.
If it was a one-off error, ICO couldn’t have issued the penalty, because they don’t have the power to fine people for incidents, only for breaches (in this case, the absence of appropriate technical and organisation security measures required by the Seventh Data Protection principle). Given that the notice states explicitly that the breach lasted for years, the ICO’s response isn’t true. It’s bad enough that the ICO is still mixing up incidents and breaches four years after this confusion lost them the Scottish Borders Tribunal appeal, it’s even worse that they seem not to understand the point of fining Data Controllers.
In the notes disclosed to me about the decision to redact the notice, ICO officials discuss the “negative impact” of the fine on the barrister, especially as she is a “professional person who is completely reliant on referrals from external clients“. Despite the Head of Enforcement putting a succinct and pragmatic case for disclosure: “it is easier to explain why we did (proportionate, deterrent effect) rather than why we didn’t“, he is unfortunately persuaded that the most important thing is to “avoid any damage to reputation”. Bizarrely, one person claimed that they could “get the deterrent message across” despite not naming the barrister.
The GDPR requires that fines be “effective, proportionate and dissuasive” – an anonymous £800 fine fails on each point. Anyone who takes their professional obligations seriously needs no horror stories to persuade them. For those who do not, an effective, proportionate and dissuasive penalty is either a stinging fine or naming and shaming. The ICO had no appetite for either option, and effectively let the barrister get away with it. They valued her professional reputation above the privacy of people whose data she put at risk, and future clients who will innocently give their confidential and private information to someone with this shoddy track record.
If the NCC Group, and all the various vendors and GDPR carpetbaggers are to be believed, within a year, the UK will operate under a regime of colossal, multi-million pound fines that will bring errant businesses to their knees. In reality, the ICO cut the fines on charities by 90% to avoid upsetting donors, and rendered their enforcement against an irresponsible data controller pointless for fear of putting her out of business.
These two pictures cannot be reconciled. It is entirely possible for the ICO to put someone out of business – indeed, many recipients of their PECR penalties are forced into liquidation (this may be a ploy to avoid the fines, but nevertheless, the businesses close). But the majority of PECR penalties are issued against businesses operating on the very fringe of legality – they are not mainstream data controllers. They are not nice, professional barristers. They are not the audience for the Great GDPR Fine Hysteria. If the ICO cannot stomach the risk of putting a single barrister out of business pour encourager les autres, it is disingenuous to pretend that they will rain down fire on mainstream data controllers after May 2018. We’ll get more of the same – cautious, reactive, distracted by the incident, and unwilling to take aim at hard targets. Plus ça change.