Three months after ‘GDPR day’, the Data Protection Act 2018 is now fully in force and companies are doing their best to comply and to show that they are complying, whilst still waiting to see how devastating new penalties will be.

While the ICO has not yet fined any companies under the EU GDPR or Data Protection Act 2018 (as these breaches happened before May 25), it does seem to be keen to show its teeth. Organisations would do well to heed these warnings and indeed, as the ICO reported a significant increase in security breach notifications; from under 400 cases in March to nearly 1,800 cases in June, it seems companies are listening.

Below are some examples of companies falling foul of the rules and the level of fines imposed.

Data Use

In July, the ICO imposed the highest available fine under the old rules, fining Facebook £500,000 for its role in the Cambridge Analytica scandal, where users’ data was harvested and subsequently exploited for targeted political marketing. Facebook fell foul of two aspects of the DPA 1998, first that it failed to properly safeguard its users’ information, and second that it failed to be transparent once it was aware that data had been harvested.

Also in July, Noble Design and Build of Telford, Shropshire were convicted and fined by Telford Magistrates Court £2000 for failing to comply with an Information Notice, under section 47 of the Data Protection Act 1998 and £2500 for processing personal data electronically without having 'notified' when they were required to do so, under Section 17 of the Data Protection Act 1998.

In August, Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, received a £140,000 fine for illegally selling over a million personal data records to Experian.

Marketing

A South Wales firm was fined £60,000 by the ICO for allowing its lines to be used to send spam texts to more than 270,000 people, without their consent.

In June, enforcement action was taken against two firms for making nuisance telephone calls. One, Our Vault, was also fined £70,000 for making 55,534 unsolicited marketing calls to people who had registered with the Telephone Preference Service (TPS) and had not consented to being contacted by the company.

Also in June, British Telecommunications plc (BT) was fined £77,000 by the ICO after BT sent nearly five million nuisance emails to customers. The investigation found that the company did not have customers’ consent to send direct marketing emails.

Dixons Carphone breach

On 13 June, Dixons Carphone reported a data breach to the ICO which involved 5.9 million payment cards and 1.2 million personal data records. On July 31, an ICO spokesperson confirmed a ‘significantly higher’ figure of 10 million personal records. The breach had an immediate visible effect on the share price.

It remains to be seen what action the ICO will take and whether it will be under the old or new rules, but organisations should be watching the outcome and taking it as a warning to prepare for when, not if, a data breach occurs.