Data Protection News June 19

Q2 2019 Round-up of Data Breaches and ICO Fines
GDPR – Stats from 1 Year On
Lawful Bases and Legitimate Interests
June 28 2019
GDPR - 1 Year On

The EU’s General Data Protection Regulation (GDPR), celebrated its first birthday on May 25th, 2019 and has had a significant impact on the global landscape of personal data protection.  Here are some key stats so far:

  • There have been more than 59,000 personal data breaches notified to regulators up to January 2019.
  • The number of complaints reported by supervisory authorities from 31 countries in the first nine months was 94,622.
  • 91 reported fines have been imposed under GDPR, totaling €55.96m.
  • There has been a global ripple effect of new data protection laws

The first 12 months were a transition year and the UK data protection authority has hinted that they will be issuing some large fines, very soon.

Data Breaches

The number of Data Breaches reported in the media during this quarter was 98, significantly less than last quarter. But the number of estimated records breached so far this year has skyrocketed to 3-4 billion per quarter. The biggest global breaches from Q2 were:

  • Facebook – 540 million users affected
  • MongoDB database – 275 million Indian citizen details
  • Graphic design company Canva – 130 million records

There do not appear to have been any huge data breaches in the UK during this quarter.

ICO Fines

Q2 of 2019 saw a rise in fines from the unusually low Q1, totaling £1,055,000.  The biggest fines this quarter were:

  • Bounty UK Limited fined £400,000 for sharing data unlawfully
  • London Borough of Newnham fined £145,000 for disclosing information in a Police Intelligence database
  • True Visions Productions were fined £120,000 for unlawful filing in a Maternity Clinic
  • Hall and Hanley fined £120,000 for making 350 thousand unsolicited direct marketing calls

For more detailed information about ICO fines, see the ICO enforcement webpage:

Lawful Bases and Legitimate Interests

Within the General Data Protection Regulation (GDPR) organisations are required to specify one of six lawful bases for processing data.

Some of these lawful bases are more objective and indisputable than others and some require more work to implement than others.  The list has been arranged in the order of this authors opinion of preference:

  1. Legal obligation – if you have a lawful reason for processing and can state what this is, it is clear and indisputable.
  2. For the performance of a contract in which the data subject is a party – contractual obligations are also clear and indisputable.
  3. To protect the vital interests of a data subject – if processing may protect an individual or save a life, this is a strong justification for processing data.
  4. For tasks carried out in the public interest – this may concern things like environmental analysis or the detection of criminal behaviour, which is a more subjective judgement. This is one of the two lawful bases to which data subjects can object.
  5. Legitimate Interests – this processing may be to benefit your company or a third party, but this is also a subjective judgement and open to objection by data subjects.
  6. Data subject consent – this is a strong lawful basis to have, but requires the most effort, evidence and change control to adhere to the strict standards for informed consent.


Depending on the circumstance, you may be able to market to people under legitimate interests, or you may need to use consent.

In general, legitimate interests will apply where the processing might reasonably be expected by the data subject and where its impact on the data subject’s privacy is not significant. It may also apply where there is a strong, justified reason for the organisation to carry out the processing.

To mitigate the subjective nature of legitimate interests, a three-part test should be applied which can demonstrate:

  • The precise nature of the legitimate interests (the Purpose test)
  • That the processing is necessary for the legitimate interests (the Necessity test)
  • That the data subject’s interests, rights and freedoms do not override the organisation’s legitimate interests (the Balancing test)

All three tests are still subjective though, so care should be taken that a fair and balanced approach is used, and a reasonable, defensible conclusion is drawn. Legitimate Interest Assessment templates are available online.

This level of due diligence will provide some protection where objections to processing are received, but moreover, it moves organisations into a position where they are embracing the spirit of the law not just the letter of the law. When we start debating whether we really need to process this data or whether we can get the same benefits from processing less data at less risk, this is the start of a cultural shift toward ethical use of data