The BOSS Federation is the trade association which serves the UK office supplies and services industry by providing a range of initiatives, cost saving benefits and services, to enhance the business performance of its members.
Happy Birthday GDPRback to list
06 August 2019
It has been over 12 months since the introduction of the General Data Protection Regulations (GDPR), which are now incorporated into UK law as the Data Protection Act 2018.
This time last year, BOSS was very busy helping members prepare for compliance with the new rules. Along with the BOSS Federation, we delivered 26 GDPR workshops with 605 delegates attending, and assisted approximately 150 member companies to become compliant.
For many companies, this may have ultimately been a useful exercise, encouraging them to be more systematic about ensuring that they have contracts and other documents in place and becoming more aware as to what data they actually hold and for how long. For others, the new regulations may have been seen as an obstacle to business, especially the rules around data processing agreements, with most template agreements requiring service providers to identify their sub-contractor data processors.
The introduction of the GDPR was heralded with dire warnings about the penalties that could be imposed by the regulator, the Information Commissioner’s Office (ICO), for noncompliance. Those penalties could be as much as 4% of a company’s worldwide turnover, or 20 million euros, whichever is the higher.
In the first three months after the introduction of the GDPR, the ICO reported a doubling of the number of complaints received, and it anticipates that this will further increase as more individuals become aware of their rights to protect their data.
A review of the enforcement action taken by the ICO over the last quarter shows us that the regulator is prepared to take a firm approach with businesses sharing data or sending marketing messages in breach of the rules.
- In November 2018, the ICO fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.
- In December 2018, Tax Returned Limited was fined £200,000 for sending out 14.8 million unsolicited marketing text messages.
- In January 2019, Alistair Green Legal Services Limited received a fine of £80,000 for making unsolicited telephone calls.
- Leave.EU Group Limited received two penalties of £45,000 and £15,000 for sending unsolicited messages, and Vote Leave Limited received a fine of £40,000 for its unsolicited messaging.
- The largest penalty so far was imposed in April 2019 on Bounty UK Limited, which has received a fine of £400,000 for sharing personal data unlawfully.
In addition to its powers to issue fines, the ICO can also issue Enforcement Notices, and if these are not complied with, the ICO can take further action.
Other penalties have been handed out for failure to pay the data protection fee, and some individuals have received penalties for unlawfully accessing personal data, including medical records and criminal conviction data.
The ICO has indicated that it is determined to ensure that personal data is used and shared properly and legally and is prepared to impose severe penalties on businesses that ignore the rules.
If you are not sure whether your business is compliant and you need advice, please contact Nicola Langley, Head of Legal & Commercial Solicitor, at [email protected]