Data breaches see three organisations handed six-figure fines

News Article

Online baby advice company, Emma’s Diary, is facing a potential £140,000 fine from the Information Commissioner’s Office (ICO), after it emerged that the organisation had illegally shared data with the Labour Party ahead of last year’s general election.

The ICO claims that it has uncovered “significant concerns” regarding the ways in which Emma’s Diary collected and shared data, which allegedly involved gleaning data from maternity wards and sharing it with brokers.

The company plans to make representations to the ICO to fight its case and argue that the intended fine should be reduced. The ICO will hear such arguments before it makes a final decision on the matter.

The news comes at a busy time for the ICO, which announced that Facebook would face a £500,000 fine over very similar data protection failings associated with the heavily publicised Cambridge Analytica scandal.

The ICO has also fined The Independent Inquiry into Child Sexual Abuse (IICSA) £200,000, after the organisation was found to have sent a mass email that identified possible abuse victims.
An investigation into the highly sensitive data breach discovered that a member of the inquiry’s staff had emailed 90 potential victims, using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses.

Matthew Johnson, an Associate with Palmers, who specialises in legal issues relating to data protection, said: “These recent cases illustrate that the ICO is not a watchdog without teeth – on the contrary, where data breaches have occurred, substantial fines have been imposed.

“However, it is interesting to note that these three data breaches all occurred when the old Data Protection Act was in force.

“If these offences had occurred after 25 May 2018, when the new General Data Protection Regulation (GDPR) came into force, these serious data breaches could have resulted in the organisations potentially facing fines of up to four per cent of global turnover, or €20 million, whichever is higher.”

Matthew added: “Many companies will have put in place additional safeguards to ensure their data processing is compliant but GDPR continues to cause confusion for some, so if your business is still wondering whether it is fully compliant or you have concerns relating to data protection, it’s not too late to find out.”

For help and advice on GDPR and how your business can ensure it fully meets the new legislation, please contact us.