Data Protection Fine Summary – are you getting the basics right?
The first half of 2022 has seen ICO fines amounting to over eight and a half million pounds – almost 5 times the amount for the same period in 2021. The bulk of this total comes from the £7.5 million fine for Clearview AI, for collecting and processing images for the purpose of facial recognition, on millions of UK citizens.
The biggest fines issued from Europe so far this year were:
- €10 Million in May, from the Spanish Data Protection Authority to Google, for transfer of data to third parties without consent, depriving data subjects of control over control their data.
- €17 Million in March, from the Data Protection Authority of Ireland, to Meta Platforms Ireland Ltd for failing to have the necessary technical and organisational measure in place to protect data, including cross-border processing.
- €20 Million in February, from the Italian Data Protection Authority to Clearview AI for failing to inform data subjects of the data processing, for processing the data for purposes beyond what was stated online, and for failing to specify data retention rules.
These fines show that even large organisations are still not applying the core principles of data protection compliance as defined in the GDPR:
- Lawfulness, fairness and transparency – companies must determine that they have a lawful basis for processing data, must consider the effects of processing on the individuals and must be open and honest with data subjects about how their data is being processed
- Purpose limitation – companies must be clear about the purposes for processing and only use the personal data for a new purpose if it is compatible with the original purpose, unless further measures are taken
- Data minimisation – companies must ensure that personal data processing is adequate for the stated purpose, relevant and limited to what is necessary to fulfil that purpose
- Accuracy – companies must take reasonable steps to ensure the personal data they hold is kept up to date, is not incorrect or misleading and rectify or erase incorrect data
- Storage limitation – companies must not keep data for any longer than to fulfil its stated purpose, setting appropriate retention rules and implementing processes to enforce those rules
- Integrity and confidentiality (security) – companies must have appropriate security measures in place to protect the personal data they hold and process
In addition, companies must take accountability for what they do with personal data and keep records as an appropriate audit trail to be able to demonstrate compliance with these principles.
Get in touch if you have any concerns and want advice on pragmatic ways to comply with GDPR.