Partner Abigail Healey comments on ICO fines and data breaches in IT Pro



December 14, 2023

Following the news that the UK Information Commissioner’s Office (ICO) has fined the Ministry of Defence £350,000 for disclosing the personal information of people seeking relocation to the UK from Afghanistan, Partner Abigail Healey comments on how organisations can take steps to respond to and rectify data breaches.

 

Abigail’s comments were published in IT Pro, 13 December 2023, and can be found here.

“The ICO’s decision highlights the importance of obtaining specialist advice as soon as a serious data breach occurs. While mistakes happen, what is business-critical is the response to a breach and steps that are taken to rectify this in the aftermath.

“This is particularly important from a regulatory perspective as, with this case, the ICO was evidently persuaded to reduce the fine levied given the remedial steps taken by the MoD. Their decision highlights the importance of engaging with the regulator and setting out the organisation’s position, including mitigating factors, in full.

“Decisions such as this may, however, leave the organisation more susceptible to civil claims. While an affected data subject would still have to satisfy the court, on the balance of probabilities, that there has been a breach which sounds in damages, a decision of the regulator that not only has there been a breach but that breach was “egregious” is likely to be very persuasive evidence.

“Engaging with the regulator to seek to limit any adverse findings may affect the ability of affected data subjects to bring claims as well as the level of damages awarded in any such claims, and ultimately the exposure of the organisation more generally.

“As with any data breach, the regulatory fine is often the tip of the iceberg and the cost to the business, including remedial costs, advisers’ fees, damages awards, loss of customers and/or business and damage to reputation, may be far higher.”