Employment

5 Illustrative GDPR Fines

Maryam Abu HusseinMaryam Abu Hussein
Last updated on:
November 3, 2022
Published on:
November 2, 2022

Read our guide to privacy notices now

Read the Guide

The UK General Data Protection Regulation (UK GDPR) came into effect in early 2021 and, together with the Data Protection Act 2018, forms the mainstay of the UK’s body of data protection law. The GDPR sets out various principles relating to the processing of personal data, including the obligations of those who hold and process individuals’ personal data (data controllers and processors) and the rights of those whose data is processed (data subjects). 

Any UK-based company or organisation that processes data in the UK must comply with the UK GDPR. The UK GDPR applies to the processing, whether automatic or manual, of personal data. Compliance with the principles of the GDPR is also required of organisations based outside of the UK, but whose processing activities monitor the behaviour of data subjects in the UK and relate to the provision of goods and services to data subjects in the UK.

There are two possible courses of action that can be taken against a non-compliant organisation: legal action brought by an affected data subject (or a collective action by many affected data subjects) and fines issued by the Information Commissioner’s Office (ICO).

The ICO is an independent body responsible for enforcing the UK’s data protection laws. It can issue fines with a maximum limit of £17,500,000 or 4% of the undertaking’s annual turnover. Fines issued by the ICO are paid into a central government bank account and are used to pay for public services.

This article discusses five GDPR fines issued by the ICO that illustrate the different ways in which the UK GDPR can be breached and how each breach, and each ensuing fine, could have been avoided.

The Cabinet Office

In 2021, the Cabinet Office was fined £500,000 by the ICO. Ahead of the new year, the Cabinet Office published the content page for the New Year 2020 Honours List on the government's official website. Due to human error, the web page contained a file of the correspondence address of each recipient.

The file of addresses remained accessible to internet users for a total of two hours and twenty-one minutes, and was accessed 3,872 times. No Cabinet Office employee realised that the final version of the post contained the file of addresses.

The ICO found that, despite the Cabinet Office's compliance with the notification procedure and its cooperation during an investigation of the breach, the Cabinet Office did not have in place adequate technical and internal organisational measures to ensure a level of security that was proportionate to the risk associated with processing the data required to publish the New Year Honours List.

The breach was deemed negligent, and it was further found that the Cabinet Office had missed several opportunities to identify and remedy the file in order to prevent the breach. 

The takeaway: While human error can never be completely eliminated, it is entirely within every organisation's power to ensure that adequate security measures are in place to ensure that no personal data breaches occur and that data subjects' rights are upheld. These measures can include staff training, frequent compliance checks and multi-factor authentication.

Papa John's

Papa John's was fined £10,000 in 2021 for sending 168,022 nuisance marketing communications to customers.

Businesses can collect information for marketing purposes from customers whose details have been obtained during the sales process, provided that the customers are given the opportunity to 'opt-out' of the marketing.

In this instance, while customers who ordered pizzas in-store or on the website and app were able to view Papa John's privacy notice and were able to easily opt-out of marketing, customers who ordered pizzas over the telephone were not given this option. The ICO found that Papa John's had not taken reasonable steps to prevent the breach or to ensure that no breach would occur when customers placed orders over the phone.

The takeaway: Organisations should not assume that a one-size-fits-all approach to GDPR compliance will suffice to prevent GDPR infringement. All instances in which personal data is processed should be compliant and organisations must obtain valid consent from data subjects in order to process their data.

Create lawyer-approved contracts for free for 7 days

Ticketmaster

Ticketmaster was fined £1.25m by the ICO in 2020. Personal data was compromised following a cyber-attack on a chatbox that was installed on the company's payments webpage.

The breach affected millions of customers and put data relating to their contact details, personal information and payment details at risk. Barclays reported that a total of 60,000 individuals' card details were compromised.

The ICO found that Ticketmaster had not put into place effective security measures both before and after the breach occurred, and that the inherent risk of installing a chatbox on the payment page had not been adequately considered.

This was further compounded by the fact that Ticketmaster failed to take action with regard to the breach until nine weeks after fraudulent activity was suspected. It also took the company four months to officially notify the ICO of the breach. 

The takeaway: It is important to take action to mitigate a personal data breach as soon as possible, both to comply with GDPR principles and to minimise the risk to data subjects.

Clearview AI

Clearview AI was fined £7.5m in 2022 for the unlawful processing of sensitive data. Clearview AI is an American facial recognition company that used the internet to collect over 20 billion images of people from the UK in order to curate a global database for facial recognition purposes. Importantly, none of the people in the photographs were informed by Clearview AI that their photographs had been collected for this purpose.

The ICO found that Clearview AI was processing the personal data of the UK residents whose pictures appeared in Clearview's database, meaning that the company thus had to comply with the UK GDPR and had failed to do so.

The ICO found that Clearview's processing breached several principles of the GDPR. In particular, its processing of personal data did not comply with any condition for the lawful processing of data.

Clearview AI was also heavily fined by other data protection authorities in the European Union, including the Italian data protection authority.

The takeaway: Organisations that operate outside of the UK should not automatically assume that they need not comply with the UK GDPR. Any company whose compliance is required must ensure that they have a valid legal basis (and informed consent) for data processing.

British Airways

British Airways was fined £20m in 2020 for failing to adequately protect customer data by processing personal data without security measures in place. This is the largest of the GDPR fines so far issued by the ICO.

The airline suffered a cyber-attack in 2018 and did not detect this for over two months.

The attack compromised the personal data (including names, correspondence addresses and payment details) of over 400,000 customers.

The ICO's investigation of the breach revealed that there was a serious failure on British Airways's part to implement appropriate security measures in line with the GDPR. The fine was initially set at £183.4m, which would have constituted the largest fine issued by the ICO in its history. The fine was later reduced to take into account the financial impact of the Covid-19 pandemic.

The takeaway: Even where a breach would not have occurred but for the actions of a hacker, it is important to implement security measures and to have a framework in place to allow for the early detection of cyber-attacks and other potential risks to personal data.

How Legislate can help you stay GDPR-Compliant

Legislate helps employers issue lawyer-approved data protection documents, including GDPR privacy standards. Legislate's latest update allows users a side-by-side view of the terms selection tab and the contract, meaning that users can easily access the parts of a contract that contain data protection provisions. Coupled with internal data protection measures, these features can help to facilitate and readily demonstrate GDPR compliance.

Create your privacy notice now

Get Started

Keep Reading

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.