One year on and the Information Commissioner's Office (ICO) has still to issue a fine under GDPR. This is despite it receiving a total of 14,072 data breach notifications from 25 May 2018 to 1 May 2019 (a fourfold increase on the year before). This makes the UK a top three country for data breach reports (behind the Netherlands and Germany), although the ICO will take no further action on the vast majority of these reports.
The main reason for the lack of fines is the long investigative tail that accompanies data protection investigations. An inspection of the ICO website shows that recent enforcement decisions are generally concerned with breaches that occurred in late 2017 and the start of 2018 (which are legislated under the Data Protection Act 1998 rather than the new regime). This suggests that we should see a flow of decisions (and fines) under GDPR in the next few months which will give us a clearer idea on the ICO’s approach to enforcement.
HMRC’s unlawful processing
One interesting enforcement decision under the GDPR regime has been made and it involves HMRC. It was found to be unlawfully processing the biometric data of around 7 million customers through the use of a voice authentication system on its helpline. Biometric data is classified as “special category” personal data and HMRC failed to identify a valid lawful basis under Articles 6 and 9 GDPR (such as the customer’s explicit consent) to process this data.
HMRC tried to remedy this error by contacting the individuals concerned to retrospectively request consent. Of the 7 million contacted, around 20 per cent responded, 1 million customers consented and 200,000 withheld their consent. The ICO has ordered HMRC, and any of its suppliers who also processed the biometric data on HMRC's behalf, to delete the customer records for which it did not have explicit consent (over 5 million records).
So why no fine?
In making its decision the ICO took into account the large numbers of people affected, the imbalance of power between HMRC and its customers and the lack of consideration that was given to data protection principles when HMRC rolled out the voice authentication system. However, it also noted the absence of distress or damage caused to individuals and the context in which the personal data was processed. It considered that a stop processing notice was proportionate.
The ICO had stressed prior to GDPR that issuing fines will be a last resort. This decision would appear to support that approach and may indicate that, particularly where individuals are not significantly impacted, the ICO will look to other available measures such as “stop processing” notices.
Let’s see what the next few months bring.