Data is the lifeblood of the economy in today’s business world, consequently it’s increasingly becoming a critical element of any organisation’s growth strategy to ensure that their approach to data protection compliance doesn’t hinder their progress.
It’s not just the issue of appearing careless with customer or staff personal data that organisations should be concerned with, they can also suffer serious financial consequences either as a result of the Information Commissioner’s Office (ICO) taking enforcement action or because an aggrieved individual has brought a court claim for compensation (discussed in more detail below). For these reasons, it’s important that organisations understand the full implications of what can happen if you get data protection wrong.
1. ICO enforcement action
The ICO has a wide range of regulatory actions at its disposal for infringement of data protection legislation, including;
- Information notices; this is a formal request from the ICO to provide information within a specified timeframe. If a company fails to comply with an information notice in a timely manner, the ICO may apply for a court order requiring a response or may issue a penalty notice.
- Enforcement notices; the purpose of an enforcement notice is to require the recipient to take certain action to bring about compliance with information rights or remedy a breach or both within a specific timescale, and this could include requiring an organisation to stop using personal data for a specific purpose. If an organisation fails to comply with an enforcement notice, the ICO may consider taking further action including but not limited to issuing a monetary penalty notice.
- Monetary penalty notices; the ICO has the power to issue a monetary penalty for infringement of data protection legislation. There are two tiers of an infringement, the ‘higher maximum’ and the ‘standard maximum’.
The higher maximum
Organisations may be fined up to £17.5 million under the UK GDPR, or €20 million under the EU GDPR, or 4% of annual global turnover for failure to comply with any of the data protection principles, or the individual’s rights, or in relation to transfers of data to third countries.
The standard maximum
Organisations may be fined up to £8.7 million under the UK GDPR, or €10 million under the EU GDPR, or 2% of annual global turnover for infringement of other provisions such as administrative requirements of the legislation.
- Inspection Powers; the ICO is able to conduct an inspection or authorise another organisation to conduct it for them, in most cases the outcome will be an audit report setting out recommendations which could lead to formal enforcement action.
- Reprimands: this is a written letter stating that the ICO believes an organisation has failed to meet its data protection obligations. It is usually accompanied by a list of reasons for the decision and recommended steps that an organisation should take. The ICO announced in December 2022 that would begin to routinely publish reprimands, unless there was a good reason to refrain from doing so.
2. Reputational damage
Hefty fines for non-compliance with the data protection legislation tend to grab the headlines, however, organisations should also be aware of the reputational damage that can arise and the potential knock-on effects. ICO enforcement action is usually published and is therefore in the public domain, it’s often not long before the news of action taken will spread and this can affect customer confidence, and ultimately profits. Whilst a monetary penalty is potentially manageable, the negative effects of bad publicity could mean that consumers no longer trust an organisation which can be fatal to business in the long term.
3. Claims from private individuals
The ICO is not able make compensation awards in favour of individuals, however, UK GDPR gives data subjects a right to claim compensation in court under Article 82, where they have suffered material or non-material damage as a result of an infringement. Quite often data subjects will run a complaint with the ICO at the same time as a compensation claim through the courts, as a determination by the ICO that UK GDPR has been infringed could be persuasive in the eyes of the judge.
In the event that an individual is successful in their claim, then organisations could be liable for damages and costs, and also suffer reputational damage as court proceedings are usually open to the public.
4. A drain on resources
Whether an allegation of an infringement has merit or not, an organisation could spend unnecessary amounts of time evaluating and responding to issues, which ultimately distracts from your ability to carry out your core business activity which can affect your bottom line. For example, significant amounts of manpower can be exhausted when dealing with data subject access requests, or evaluating personal data breaches, some of this time can be minimised by putting having the correct compliance documentation in place at the outset, as well as a robust data protection governance structure of roles and responsibilities.
How can we help?
Harper James can assist you with assessing your organisation’s compliance with data protection legislation and helping you pinpoint areas of weakness that could lead to potential enforcement action and/or slow you down in your ability to respond.
Don’t wait until you’re already on the back foot! Get in touch with one of our data protection specialists today to identify what steps should be taken to stay compliant with data protection laws.
Let us do the hard work and make sure you are compliant.- Read more about our health check audits here.