As a DPO I am often asked what sort of action would be taken in relation to a particular incident, such as a data breach or missing a deadline for a subject access request? My answer to a lot of these questions, which might come across like I’m trying to avoid the subject is that, it is very much dependent on the circumstances and what actions you have taken to either prevent the breach, or what reasonable justification you have as to why you missed the subject access deadline. As the ICO would always be the ones making the decision there isn’t a firm answer, and I would advise you to make sure your policy and processes account for these factors.
Why you ask? Well all action taken by the ICO is based upon each individual case and circumstances associated with it. What makes it more difficult to give a firm answer is that many cases related to regulatory fines are still being enforced under the Data Protection Act 1998, not GDPR or the act 2018. On the flip side though, what we do know is what we can be fined for, which is a start.
The most recent high profile case is a regulatory fine against UBER relating to a cyber attack in 2016, this resulted in a £385,000.00 fine, not a small sum. What is also apparent is that the ICO have also began the process of fining organisations that have failed to register with them and pay their respective data protection fee. Fines range from £400.00 to £4000.00. You should all be registered with the ICO anyway and have provided details of your DPO, however, if you haven’t I would urge you to do so as soon as possible.
To see some of the action the ICO have taken visit https://ico.org.uk/action-weve-taken/enforcement/
If you don’t have a DPO and don’t know where to start, please do give us a call and we can discuss our DPO service for your school.