In March 2019 a First-tier Tribunal was held between Farrow and Ball Ltd and the Information Commissioner’s Office (ICO). In its work to chase down organisations that are not paying the new data protection fee (as required by the Data Protection (Charges and Information) Regulations 2018 which came into force in UK law at the same times as the GDPR), the ICO contacted Farrow & Ball about their lack of paying the fee. The fee was never paid and so the ICO issued a £4000 fine for lack of payment which Farrow & Ball are dismissing as an oversight, due mainly because the contact the ICO had sent the notices too was on holiday.
The Tribunal found in favour of the ICO stating:
We have considered whether the Appellant [Farrow and Ball Ltd] has advanced a reasonable excuse for its failure to comply with the Regulations. We conclude that it has not. We conclude that a reasonable data controller would have systems in place to comply with the Regulations and that the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller.
And regarding the fine:
Having regard to the relevant principles, we note that the Appellant in this case has not presented any evidence of financial hardship which could affect the penalty. We find it difficult to see how the reduction of the penalty could incentivise the Appellant to greater compliance in the circumstances of this case, where human error appears to have been the main factor. We see no reason to depart from the Respondent’s [ICO’s] assessment of the appropriate penalty.
Data protection doesn’t take a day off!
Whilst on the face of it, this is a lesson to everyone to pay the ICO’s data protection fee (the ICO’s guidance on it is here) the key takeaway is, as the ICO puts it, “Data protection doesn’t take a day off“. The key argument for missing the data protection fee (which Farrow & Ball have now paid) was that the person the notice was sent to was on holiday and therefore it was missed. The Tribunal recognised this as “human error” but at the same time that this was not a “reasonable excuse“.
The same argument can be said about any aspect of data protection. Being on holiday or not having the time to deal with a data breach (and the GDPR requirements) or a subject access request is unlikely to be an adequate excuse, and if your data protection person is off or unable to help, who’s advising the team about any other data protection issues that may arise? Could they be making their own (ill-advised) decisions?
So, who’s looking after your data protection compliance when you’re on holiday?
We’ve always said that even if you’re not mandated to have a DPO (Data Protection Officer) by law, you should at least appoint someone who takes responsibility. But it goes further than that, you want to be sure data protection is upheld whether your data protection lead is in the office or not, including “in emergency” cover. That’s where outsourcing data protection compliance can be really useful as you’re replacing your data protection lead with someone you’re paying to always be available or using them as backup when your data protection lead is off work for whatever reason.
These are just some of the reasons we offer outsourced data protection support either via our Hub advice line or outsourced DPO service (whether mandated or not) – we get to know your business so we can support your business when you need help the most, be that in an emergency or when your data protection lead (or internal guru) takes a break or is off sick. Contact us to find out how we can help support your business.