After all the noise about massive GDPR penalties it might look as if the GDPR isn’t being enforced in the UK.
All the fines currently issued by the ICO are still based on the old legislation – the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations, with a maximum penalty of £500,000. Most ICO investigations, especially those which result in a fine, take upwards of 6 months, and often more than a year, so we wouldn’t expect any massive increases yet … perhaps in the first half of 2019.
Quietly, though, another form of enforcement is appearing. Article 82 of the GDPR says:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Two things worth noting here are that this includes ‘non-material’ damage (i.e. stress) and ‘infringement of this Regulation’ – there doesn’t need to be a data breach (although this is the most likely source of damage), just an infringement of any part of the Regulation as long as there is damage to a data subject.
There are already no-win, no-fee solicitors advertising their services to pursue compensation claims of this sort. In particular, one English firm of solicitors is advertising claims for the Ticketmaster breach on their website, suggesting that claimants could each be awarded as much as £5,000. A significant number of claims raised against the same company could very easily be much more painful than a fine imposed by the ICO – the Ticketmaster breach is believed to have affected more than 40,000 data subjects. If you have large customer databases it is essential that you have ‘appropriate’ security in place as that will mean you won’t infringe the Regulation even if you have a data breach.
Enforcement of the GDPR is still evolving; the levels of fines and compensation should become much clearer in the next twelve months.