Figures from PwC’s 2018 Privacy and Security Enforcement Tracker show the sum of monetary penalties issued to UK organisations for breaching data protection laws in 2018 totalled more than £6.5 million. That’s over £2 million more than in the previous year.
In the fifth year of compiling the report, PwC analysed the Information Commissioner’s Office’s (ICO) data protection enforcement actions, looking in particular at monetary penalties, enforcement notices, prosecutions and undertakings. The data showed that, while the total sum of fines has indeed increased, the number of enforcements issued actually fell to a total of 67 in 2018 from 91 in the previous 12 months.
A further reading of the Privacy and Security Enforcement Tracker shows that marketing accounted for 50% of infringements, with telephone calls accounting for 64% of marketing infringements. A quarter of all enforcement actions relate to personal data security breaches.
In addition, private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles.
Stewart Room, lead partner for the General Data Protection Regulation (GDPR) and data protection at PwC, commented: “2018 was a transitional year for data protection in the UK with the introduction of the GDPR in May, but the trend of enforcement remained constant in comparison with previous years as marketing and security infringements dominated the regulatory agenda. The absence of any GDPR fines in 2018 wasn’t surprising, as it takes many months for cases to work through the system, but we know that they’re on their way.”
Room concluded: “As well as looking at how to improve their levels of legal compliance, I would encourage organisations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose and assist with sustaining the creation of long-term value and trust.”
Bigger data privacy picture
Alex Scheinman (director of privacy, cyber security and risk at ACA Compliance) believes that, even one year on, the GDPR is still only a small part of a much bigger data privacy story.
Scheinman commented: “The world is changing and there’s a systemic shift in the way the public believes firms should be handling data privacy, no matter where their clients are based. Over the last year, no less than 260,000 complaints were recorded, suggesting huge awareness around new data rights. The GDPR has pushed data into the spotlight leading to a growing public awareness around how businesses should protect it. Given high-profile cases such as those involving Facebook and Cambridge Analytica, even Governments outside of the EU are starting to pay attention. In the US, there are now ‘copycat’ bills and possible federal laws on the horizon.”
He added: “One year into the GDPR, there are still firms in Europe that are only now beginning to implement the procedures and functionality to their systems. At this stage, they should be maintaining and revisiting these processes. Although enforcement in Europe has been low, we fully expect fines to pick up this summer.”
Colin Tankard, managing director of data security company Digital Pathways, informed Risk Xtra: “I’m not sure that we’re any safer now than before the introduction of the GDPR. This time last year, companies were in a frenzy, rushing to have all the relevant documentation in order so that their policies and statements required by the new legislation were in place. All of us, I’m sure, were bombarded with opt-in requests, allowing businesses to continue to send us marketing information, etc. However, while tidying up these processes can be seen as a positive step, it feels to me as if it was purely a tick-box exercise. Little seems to have been done to actually protect data, which is borne out by the number of public breach declarations we’ve seen. If the data had been adequately secured by the use of encryption, such breaches wouldn’t have been required to become public. A notification to the ICO would have been all that was needed.”
Tankard went on to state: “As a result of the GDPR, the number of Subject Access Requests has dramatically risen. Many organisations are struggling to know exactly where PII data is or how it’s stored and protected. While there are systems to deal with this, companies don’t seem to have signed up to them. Cloud storage may also present a problem. While market players such as Microsoft and Google tell us they’re GDPR compliant, I wonder how any company using these services can say that they’re compliant in the event of any breach as there are few tools which allow the analysing of logs in order to trace how the breach occurred.”
In conclusion, Tankard explained: “Most companies have indeed tightened their policies, but in order to comply with the GDPR, it’s my feeling that few have considered how they’ll enforce these policies or have put in place technology to enable easy compliance with data requests going forward. I would say there is still much work to be done.”
*PwC’s 2018 Privacy and Security Enforcement Tracker can be viewed online here: https://www.pwc.co.uk/privacytracker