BLS Stay Compliant

News and Information

Data protection image from FreePik, image shows a man in a dark coloured suit holding what appears to be an iPad or tablet. Hovering above the tablet are icons depicting security, buildings, people shaking hands and the middle one which is larger than the others, is a shield with a tick in the middle. The icons are in white. The man's hand is in focus but the rest of his body is out of focus.
Picture of BLS

BLS

5 lessons learned from data protection reprimands in 2024

  • • News

The key themes of ICO action taken against companies failing to comply with data protection legislation. 

The Information Commissioner’s Office (ICO) is an independent authority that upholds information rights, focusing on data protection and privacy laws, including the enforcement of UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018. The ICO ensures organisations comply with laws about how personal data is handled, providing guidance and investigating complaints. 

The ICO also has the authority to issue reprimands or penalties to organisations that violate data protection laws, many of which are often issued after investigations into the mishandling of personal data or a failure to meet required standards of compliance. 

What kinds of penalties does the ICO impose on organisations found to be in breach of data protection legislation? 

  1. Enforcement notices: If there is found to be a breach of data protection law but the violation isn’t severe, the ICO may issue a warning, asking the organisation to address the issue and ensure future compliance – usually within a set timeframe. 
  2. Reprimands: For more serious or repeated violations, the ICO may issue a formal reprimand, notifying the organisation that their actions have breached data protection legislation. This serves as a public record of the issue, urging the organisation to take action to improve their compliance. 
  3. Monetary Penalties: If the violations are more severe or show a pattern of non-compliance, the ICO can and does impose significant fines. The maximum fine can reach up to £17.5 million or 4% of the annual global turnover, whichever is higher. 
  4. Other Enforcement Actions: The ICO can also take other actions, like imposing temporary or permanent bans on data processing or requiring organisations to implement measures to improve data protection practices. 

The ICO issued 46 reprimands in 2024 and dealt with over 2,000 complaints regarding the handling of freedom of information and environmental information requests.  

Amongst the 46 reprimands included a variety of enforcement notices, formal reprimands and a total of 18 monetary penalties. The highest penalty awarded cost the organisation £750,000. The organisation facing the fine was charged for breaching UK GDPR when it was discovered the personal information of almost 10,000 employees was disclosed on a public website.  

So what can we learn from data protection security incidents that resulted in reprimands and other action taken?  

1.Cyber incidents remain a concern but non-cyber related incidents are on the rise.  

The latest data security trends released by the ICO show that data being emailed to an incorrect recipient was the biggest cause of incidents reported, suggesting that human error and organisational failures are causing an increasing number of data breaches.  

Providing all members of staff with regular data protection training and regularly reviewing and ensuring correct procedures are in place when handling personal information can help to reduce this risk.   

2.Failure to redact has become a much more common reason for data breaches. 

According to the same security trends from the ICO, incidents caused by a failure to redact personal information increased by 68% year-on-year. In 71% of these cases, formal action was taken against the organisation.  

Again, regular training for all members of staff can help ensure redaction becomes common practice in any organisation. Data protection policies and adequate procedures help to reduce the risk of a mistake where personal data is not suitably redacted. 

3.Not responding to requests for information within the required timeframe was a leading cause for receiving a reprimand in 2024.  

Many organisations were investigated and had action taken against them for being too slow in responding to Subject Access Requests (SARs). In one case, it was discovered that the organisation had an uncompleted SARs backlog dating back to 2018.  

Individuals have the ‘Right to Access’ personal data under the UK GDPR and the legislation states the request must be completed within one calendar month 

4.Many organisations faced fines for breaching the Privacy and Electronic Communications Regulations (PECR). 

The PECR legislation covers data protection rights specific to electronic communications, with rules surrounding marketing calls, emails, texts and faxes as well as cookies and other website traffic and analytic data. Several organisations were reprimanded for breaching the regulations on unsolicited calls, gathering data without consent and ‘spam’ messages.  

Data protection and marketing can be a tricky area to navigate. Specific training can ensure organisations are aware of what they are able to do with regards to marketing, fundraising and advertising within data protection legislation.  

5.Almost a quarter of all data security incidents occurred within the health sector.  

A total of 23% of incidents were attributed to the health sector, a 6% increase year-on-year. A further 12% of incidents occurred within the education sector with 11% happening in retail and manufacturing, both also increasing since 2023.  

Health data is rich with sensitive personal information, making it a key target for cyber criminals. Alongside its appeal to hackers, many data storage systems within healthcare organisations are complex and often incorrectly secured, with a high volume of users accessing personal information, often resulting in human error leading to many data breaches.  

What action can be taken to better protect personal data and stay compliant with legislation? 

  • Keep any systems storing data secured and up to date, with policies and procedures for use, ensuring all members of staff are aware of these and what to do if there appears to be a problem. 
  • Train all members of staff in basic data protection, including how to recognise and respond to Subject Access Requests and Freedom of Information requests and how to correctly redact information. 
  • Allow for human error and ensure that staff are adequately trained and aware of data protection basics, such as using BCC and double checking for mistakes before sending any personal information over email. 
  • Be thorough when creating marketing plans and how they will involve personal data – ensure cookie policies and analytics allow the opportunity for users to refuse consent and that it is not automatically given when visiting a website.  

BLS Stay Compliant offers a variety of online training, including our online Subject Access Request training which covers redaction and communications surrounding the request itself. We also offer a data protection overview, covering the basics of UK GDPR and best practices for staying compliant.  

All our training can be delivered as a bespoke option or by joining one of our regular sessions bookable online.  

We also offer a Managed Service, so the onus of any data protection query, from SARs to data breaches and everything in between, can be managed by our team of experts, taking the pressure off organisations to stay compliant.  

If we can be of any assistance, please just get in touch.   

Share this post

More News