Each quarter, our Chief Data Protection Officer, Dave Wonnacott, shines a light on what’s been happening in the world of Data Protection.
When data is utilised correctly, it has the power to enhance customer experience and drive vast amounts of revenue for businesses. However, especially since GDPR came into play last year, there’s been some eye-watering fines due to companies improperly dealing with personal information. That’s why Dave is building a cache of relevant stories and examples – to ensure everyone is making informed decisions when it comes to dealing with data in a compliant and ethical way going forward.
Here’s what Dave had to say about it:
Big news on UK GDPR fines (BA and Marriott)
You’ll have seen the two huge data breach fines levied by the UK’s ICO: British Airways was fined £183M (10.6% of its 2018 profit) and Marriott was fined £99.2M (7% of its 2018 profit). The former was a breach involving credit card data, including CVVs, that went undiscovered for two weeks; the latter was a breach of pretty much all sorts of booking information that went undiscovered for years.
If you’re wondering why the fines are suddenly so large, it’s because previous fines were for offences committed before 25th May 2018 when the old DPA1998 was still in force and fines were capped at £500k. Now that the new legislation (DPA2018 & GDPR) is in place, much larger fines are allowed for offences made since May last year. You’ll recall it’s €20M or 4% of the global annual turnover, whichever is larger.
And where does all that money go I hear you ask? In order that the Information Commissioner’s Office is kept properly independent, it cannot be allowed to profit or be seen to profit from any of the fines it levies. Consequently, all ICO fines go to Her Majesty’s Treasury (specifically the Treasury’s Consolidated Fund) and are available for the Government to use as they see fit. The money is not ring-fenced in any way and could be used for hospitals or potholes.
(Tax) money talks
HMRC kept 5 million voice records as biometric IDs without Subjects’ consent for years and now they’re finally being forced to delete them. “Some of the customers find them useful” is not a lawful reason to harvest data; only valid GDPR consent will do.
Are you in the mood for a little personal data harvesting?
Spotify is selling your mood information for profit. I find this pretty staggering – in a grudging admiration sort of way. The idea that my moods can help sell something is quite brilliant; the idea that an organisation is following me through my daily ups and downs, and then monetising me, is very unsettling…
How smart code and sensitive personal data can change lives for the better
Whether you’re expunging your criminal record or applying for food stamps, this project in the US improves citizens’ lives by bringing their data together efficiently, giving them faster access to social aid programmes.
Big data isn’t always bad – as long as it’s gathered and used lawfully
This is a great article on how tracking people as they work can inform architects and build better, more productive workspaces. It also discusses how Big Data isn’t the solution to everything (largely because of inherent biases in the data). A good read.