Penalty extensions, understandable perhaps in the current times, may have a long-term impact on GDPR enforcement.
The Information Commissioner’s Office (ICO) has once again deferred massive GDPR fines issued to British Airways and Marriott International nine months ago. These fines, related to data breaches that occurred in 2018, are huge: £183 million for British Airways & £99 million for Marriott International.
That the ICO has a six-month period following a statement of intent to actually issue the penalty notice & demand payment, & there was a 3-month deferment in Jan, might make this seem somewhat curious.
However, investigations by the ICO are ongoing, & the pandemic has severely impacted the whole regulatory process. Not least with regard to ability to pay, noting the fact that the air travel and hospitality sectors have been utterly decimated by the world-wide lockdowns.
Will these extensions, while perfectly understandable in the unprecedented times we all in, have in fact a wider, long-term effect when it comes to GDPR enforcement generally?
“I think that ICO is taking exactly the right and most fair approach right now,” commented Samantha Humphries, security strategist at Exabeam. “Extending the deadline does not excuse or negate the need for organisations to have good security and privacy practices long term, nor will it prevent the ICO from holding those who exhibit bad practices accountable for their actions”
“The risk of fines for businesses which are non-compliant with GDPR or who suffer a data breach is certainly going to diminish for a while,” said Danny Reeves, CEO at Exonar.
“The government will simply not wish to apply further financial penalties on businesses already dealing with the hit from the Coronavirus crisis on the economy and the ‘ability to pay’ response will be more prominent,” said Reeves
“We are bound to see many appeals for extensions primarily due to the financial impact of COVID-19.” Safi Raza, director of cyber-security at Fusion Risk Management, explained. He raised the concern that any “absence of actions” may lessen the effectiveness of the ICO.
“Flexibility is being found across the board in governments globally to ensure our economies survive this turbulent period, be it business rates, tax or in this case regulatory actions,” counselled James Chappell, who is the Chief Innovation Officer at Digital Shadows.
If this flexibility sets a precedent remains a moot question, but Chappell also argued that he wouldn’t expect the size of the fine to be varied in these certain cases, but potentially the payment terms imposed for them may possibly be.
These postponements will not alter the need for companies to ensure that information is stored & processed using the safeguards & controls appropriate given the sensitivity level of data, observed Chris Hodson, the CISO at Tanium.
Exabeam’s Humphries noted that while it’s easy to look at fines, it is only one option available to the regulatory authorities. “They can also issue warnings and reprimands, impose a temporary or permanent ban on data processing, order the rectification, restriction or erasure of data, and suspend data transfers to third countries,” she mentioned.
In the majority of cases, it’s other options that are used. “The best deterrent isn’t the fines for most businesses anyway,” cautioned Nicky Whiting, Head of Compliance, Bulletproof. “It’s the reputational damage of having a data breach.”
Will extensions likely have any real impact on data protection, data security and data governance, especially as we emerge from lockdown into what, very sadly, is likely to be a prolonged recession of indeterminate length?
“Keeping customer data safe and investing in data governance won’t go away during this crisis and any associated recession,” warned Reeves. “Prioritising data security will remain firmly on the agenda, but we do think we’ll see businesses seeking to understand their data better – knowing what they’ve got and where it’s stored in order to find the asset value will help to rebuild and define competitive advantage in extremely tough trading conditions.”
“The news of ICO imposing fines forced organisations to evaluate their privacy practices and plan adequate changes. The delays, postponement, or reduction of fines will erase the need for the urgency,” Raza explained.
Practical decisions, taken in a fast-changing world, will it is hoped not have these effects as all companies realise that the policy of the authorities remain unchanged, and that any further lapses will still incur penalties one-day.