Now that we’ve welcomed in 2020, it seems an opportune moment to refresh our memory of some of the biggest data protection news stories from 2019.

It may not have been quite as significant a year for legislative change, compared to the momentous changes GDPR brought in 2018, but 2019 posed a different kind of challenge. To quote the ICO, ‘people have woken up to GDPR’… and 2019 brought the first substantial  fines under the new era.

And whilst we’re (hopefully) all familiar with the British Airways fine issued in July, there were other key moments defining the new era of data protection – and some case studies to bear in mind when considering your own data protection initiatives.

1. British Airways and the £183.39m fine

The British Airways intention to fine is taking the number one spot for obvious reasons, given the size of the penalty and the fact that it really ‘kicked off’ the bout of fines led by the ICO,and sent a clear message to other GDPR ‘offenders’. The fine related to a ‘cyber security’ incident in September 2018, when hackers accessed the British Airways website and were able to divert online traffic to a fraudulent website, allowing access to passenger details such as credit cards, passport numbers and addresses when they placed a booking. Cyber security related incidents continue to be one of the most common causes of a data breach.

2. First ICO imposed imprisonment given to former Nationwide Accident Repair Service worker

In July, Mustafa Kasim was sentenced to 6 months imprisonment and ordered to pay a £25,500 confiscation order, having been found guilty of accessing personal data without permission. Kasim used another employee’s log in details to access the software which stored customer data when he was not authorised to do so, continuing to do this even after leaving the company. He used these details to contact the customers himself and is said to have gained thousands of pounds in benefit from doing so. Staff error or misuse of data is often raised to us as a cause of a data breach. Training can help reduce the risk of employees acting incorrectly, either accidentally or on purpose and allows companies to evidence compliance through training records.  

3. Superior Style Home Improvements were fined £150,000 for making lots of unsolicited, cold ‘nuisance calls’

In total, the ICO received 83 individual complaints regarding the Swansea based double glazing firm Superior Style Home Improvements, which prompted an ICO probe into its sales and marketing methods. It was discovered that the company had been making sales calls to numbers registered on the Telephone Preference Service which should have allowed subscribers to avoid any uninvited contact for marketing purposes. The ICO found 850,000 calls had been made without consent between 2017 and 2018, initiating a fine of £150,000 under the Computer Misuse Act.

4. London Pharmacy was fined £275,000 for ‘careless’ storage of data

In December, Doorstep Dispensaree Ltd was fined £275,000 after it was discovered they had left 500,000 documents in unlocked containers in a courtyard at the back of its Edgware premises. The documents contained sensitive personal information relating to care home patients, including NHS numbers, medical records and prescription information as well as full names, addresses and dates of birth. Following an investigation, it was discovered the company hadn’t updated its data protection policies since 2015. Remember, your responsibilities for data begin when you collect it and remain through its use, storage, transportation and ultimate secure disposal. Storing any personal data, particularly sensitive data such as health information, is a crucial part of protecting data. Doing so incorrectly can have serious consequences.

5. Stockport Homes Limited employee fined for accessing data without a ‘legitimate’ reason

A former employee of Stockport Homes Limited was fined £300 after being found guilty of unlawfully accessing personal data without having a legitimate reason to do so. An investigation found Wendy Masterson had accessed SHL’s platform for storing data a total of 67 times in 2017, looking at anti-social behaviour information. She pleaded guilty to being in breach of s55 of the Data Protection Act 1998 (as the offence took place before the release of the updated legislation, she was found guilty under the previous act). Data Controllers should provide effective Data Protection training, refreshed at appropriate intervals. We recommend all employees have a level of data protection training relevant to their interaction with data. It is also good practice to evidence staff awareness and acceptance of policies and procedures and to monitor their access to personal data.

The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The team regularly conduct investigations into data protection matters and offer advice and guidance for any company wishing to update or improve data protection policies and management.

Our comprehensive services at BLS Stay Compliant include training and consultancy by experienced experts to ensure all staff members of your organisation are up to date with the latest legislation and understand their role in data protection.

We can work with you on a managed service level, offer guidance on your data protection policies and conduct audits to check your compliance where necessary, amongst a host of other options! Get in touch to find out more.