In November this year, the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection law in the UK, demonstrated a markedly stricter enforcement policy.
Having previously taken a fairly hands-off approach to Google’s mistaken collection of personal data via its StreetView patrol vans, the ICO re-assessed its response.
It subjected Google not only to an audit, but also to a written undertaking that it would not carry out any similar unauthorised data collection in the future.
At the end of that same month, the ICO also issued its first fines for data losses: £100,000 against Hertfordshire County Council for misdirected faxes, and £60,000 against an employment services company for loss of an unencrypted laptop. Both contained sensitive personal data.
The ICO’s change of heart has come about as both a result of the appointment of its new information commissioner, Christopher Graham, and increasing pressure from the EU to implement EC data privacy law effectively (the UK has recently been taken to court for its failure to regulate unlawful interception of communications and unlawful behavioural targeting technology properly).
November 2010 symbolises a watershed moment for data protection in the UK and the ICO’s gloves are well and truly off (well, on one hand at least).
Brands and agencies alike should be alert to an increasingly bullish regulatory climate, and the potentially adverse PR that may result from any data mishaps.
So where does this new hard-line approach of the ICO leave companies that are using data and how concerned should they now be about effective data privacy compliance and information management?
Firstly, only data controllers (those who determine the purpose for which data is used) and not data processors (those who process data on behalf of data controllers) are liable under UK data protection law.
However, where an agency is processing data on behalf of a brand, they may also be liable for any data breach under their client agency agreement.
Currently, the ICO’s guidance states that companies need only make the ICO aware of ‘serious breaches’ and that any notification is voluntary. However, failure to notify may mean that a higher fine is imposed if a serious breach is subsequently discovered by the ICO - currently the maximum fine for serious breaches is £500,000.
Whether a breach is ‘serious’ will depend on the amount of data lost, how sensitive it is and what potential ‘harm’ or ‘distress’ is likely to result from the breach.
Depending on the circumstances, companies that have committed the data breach may also wish to notify the individuals whose data is affected directly, either to satisfy an undertaking issued by the ICO or to mitigate any loss or distress suffered by an individual resulting from the breach.
In general, adhering to a policy of transparency and openness in the event of a ‘serious’ data breach or loss will be a prudent course of action, but how will a brand feel about having to notify its own customers that it has lost their personal data? Not overly eager I imagine.
Being required to notify customers about a breach may be a more effective deterrent and is more likely to hurt a brand than paying a fine - particularly with regard to large multinationals like Google, for whom £500,000 is a drop in the ocean.
In the US, unlike the UK, companies are under a statutory duty to notify affected individuals. Interestingly, there is no liability in terms of fines for data breach itself, yet it has proved to be an effective deterrent.
The ICO could implement a similar regime in the future, which could have some potentially damaging consequences: notifying customers directly can cause substantial reputational risk and investigating each breach is a costly exercise.
Implementing pro-active and preventative data security measures to prevent data breach is not simply good compliance; it is good business practice. It can also provide a competitive advantage when pitching, as well as ensuring that a brand protects its reputation.
Philip James, senior associate in Lewis Silkin's Media, Brands & Technology Team.