As we approach the fourth anniversary of GDPR, we have analysed what causes the Information Commissioner’s Office (ICO) to issue fines following data security breaches. We hope that our findings assist in understanding areas to focus on in order to avoid attracting the ICO’s attention.
As you will see, we have carried out our research by reference to what we consider to be five key Monetary Penalty Notices (MPNs) issued by the ICO under the GDPR regime. Some of those MPNs are “blockbuster” fines like those for BA and Marriott. Others illustrate that no organisation is immune from sanctions (see those issued to the Cabinet Office and the charity Mermaids). We have taken each MPN and analysed it to extract what the ICO is really concerned about when a data security breach happens and what triggers the ICO to take enforcement action. This is all in the context of the ICO’s Five Step Regulatory Action Policy (RAP).
We will be holding a webinar to discuss these issues on 15 June. An invitation will follow shortly.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2022