The ICO (Information Commissioner’s Office) has, for the first time, issued the maximum fine permissible – £500,000 – to Equifax Ltd in response to a breach of the DPA (Data Protection Act) 1998.
The investigation into the September 2017 breach, in which the personal data of up to 15 million UK residents was compromised by a cyber attack, apparently revealed ‘multiple failings’.
Although the attack was against Equifax’s US parent company, a file containing data from its UK entity that was stored in the US was also accessed.
Key points to note in respect of the EU GDPR
1. Investigations into complex cases and determination of penalties can take a long time. We won’t see the first GDPR penalties being issued until 2019.
2. Penalties, even in relation to the DPA 1998, reflect the overall state of compliance, not just the specific transgression. The ICO has always been clear about this. When you have a breach, your whole approach to GDPR compliance is going to be assessed, and penalties will be based on the flaws and inadequacies revealed. Skin-deep GDPR compliance will not be enough.
3. £500,000 is the maximum fine under the DPA 1998. Under the GDPR, the fine would have been 4% of the UK entity’s annual global turnover, which in 2017, was £122 million. So, the UK fine would have been £5 million. This would have reduced UK pre-tax profit by a fifth. Enough to hurt a standalone business but probably not enough to hurt a global giant such as Equifax.
4. The class-action suits rumble on. These will cost more – in legal fees and awards – than the fine. This situation will become more pronounced under the GDPR – class actions will start long before monetary penalties are determined, will continue for years and will be seriously expensive – as British Airways is about to discover.
Non-executive directors and company auditors need to be asking their boards far more searching questions about GDPR-breach readiness as post-breach actions are always too late.