For those of you wonder what on earth the ICO (Information Commissioner’s Office) is doing in terms of regulatory action in relation to privacy, their latest update identifies some recent financial penalties:
- A television production company was fined £20,000 for unfairly filming patients at a maternity clinic;
- The London Borough of Newham council was fined £145,000 for disclosing the personal information of people featured on a police database;
- A GP practice manager was fined for sending personal information to her own email account.
These are all still related to the DPA (Data Protection Act) 1998, which demonstrates again how long it takes for actions to be concluded. These fines also demonstrate that targets can range from large public authorities to individuals – and the breaches are not classic cyber security breaches, but breaches of what should be established procedures.
The message for any of our customers that might be thinking that GDPR (General Data Protection Regulation) enforcement action will never happen or that, if it does, it will only be focused on the big firms, is that now might be the time to re-double efforts to establish DPbDabD (data protection by design and by default). After all, failure to do so can itself be punished with a 2% fine.