In December 2023, the Information Commissioner’s Office (ICO) announced it had dropped its investigation into the 2020 data breach by easyJet. The breach resulted in the theft of personal details and travel itineraries of around nine million people, as well as the stealing of 2,200 people’s credit card numbers. The ICO cited “limited resources” as the reason the investigation was shelved. This news seemed to be the pinnacle of a challenging few years for the data protection regulator. In March 2024, the Open Rights Group (ORG) published a critical piece on the ICO, stating that it had a “poor track record” and pointing out that “in 2021-22 it did not serve a single GDPR Enforcement Notice, secured no criminal convictions, and issued only four GDPR fines totalling just £633,000, even though it received over 40,000 data subject complaints.”

Although the ICO appears not to have been vigorous in its enforcement of the UK GDPR, that does not mean that businesses and NGOs can disregard data protection and privacy compliance. Enforcement Notices have recently been issued to the Home Office and the UK-based charity Penny Appeal, demonstrating the regulator still has teeth.

What is the difference between an ICO Enforcement Notice and an official reprimand?

An official reprimand is sent to an organisation after the ICO has completed its investigations. It sets out the key issues regarding compliance failure and the legislative provisions that have been breached. Recommendations will be made concerning how the organisation can reach compliance and the ICO will ask for regular reports regarding the implementation of these recommendations.

If an official reprimand is not complied with, the ICO will issue an Enforcement Notice. These require the recipient to cease infringing activities and failing to comply with an Enforcement Notice can be treated as contempt of court.

Failure to comply with a reprimand could also result in fines of up to £17.5 million or four per cent of the organisation’s total annual worldwide turnover in the preceding financial year, whichever is higher.

What were the details of the Home Office’s and Penny Appeal’s data breaches?

An Enforcement Notice was issued to the Home Office after it was found to have not carried out a Data Protection Impact Assessment that satisfied the requirements set out in Article 5 of the UK GDPR, in relation to its pilot programme of using electronic monitoring ankle tags.

The pilot, which involved tagging 600 migrants who were on immigration bail, ended in December 2023. However, the Home Office kept the GPS location data collected by the tags and continued to access and use that data as well as sharing it with third-party organisations. The ICO stated that the Home Office failed to show accountability as although it demonstrated that the data processing was lawful, it failed to show that it was necessary and proportionate or why less intrusive methods could not be employed to achieve the pilot’s objectives.

The Enforcement Notice ordered the Home Office to update its internal policies, access guidance and privacy information in relation to the data retained from the pilot.

The Enforcement Notice issued to the charity, Penny Appeal concerned the sending of 461,650 spam text messages over a ten day period. These messages were sent to a database of individuals who had never agreed to receive marketing communication from the organisation. This amounted to a “serious contravention” of Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). These regulations implemented the EU ePrivacy Directive (Directive 2002/58/EC) and covers the privacy rights of customers when using electronic communication for marketing.

The ICO demanded that Penny Appeal cease to send emails to people for direct marketing purposes, except in cases where the data subject has previously notified the charity that they consent to receive such communications at the time they are sent.

What do these cases mean for your business?

Although the above ICO Enforcement Notices concern a government body and a charity, the reasons for the investigation and penalties are relevant to all businesses. If you are embarking on a project that involves the processing of personal data, you must conduct a DPIA that assesses the risks posed to personal data by the processing, whether the processing is necessary and proportionate, and whether there are other ways to meet the project’s objectives without processing personal data. Most importantly, the DPIA must be thoroughly documented to ensure that if the ICO does investigate your organisation, you can show accountability to the principles of the UK GDPR.

If you have allowed your direct marketing compliance practices to slacken in regards to the UK GDPR and PERC, it is time to revisit whether people whose personal data you collect can consent to being contacted by electronic communications. To comply with PERC, the consent must be specific to the type of communication being sent and informed, meaning people must understand to what they are consenting.

The best way to manage data protection and privacy law compliance is to outsource DPIAs and have regular legal health checks that look at your data protection compliance. An external risk management and legal specialist will not only have the knowledge and resources available to undertake a DPIA and compliance checks, they will also ensure all the documentation is completed correctly. That way, if a data breach occurs or a complaint is made to the Regulator, you can be confident that you have ample evidence to show ICO investigators that you meet all the relevant compliance requirements.

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article, please contact 43Legal.