GDPR Financial Risks
30 January 2023
When GDPR came into force, there was a big emphasis on the risks of eye-watering fines from the ICO. In reality, the risk is from absent blatantly poor practice leading to some form of harm, but the risk of a fine from the ICO is low. The ICO is more likely to make a record where breaches are minor. A recent High Court judgment found that the ICO is not under a legal duty to reach a conclusion on every complaint raised. The Judge noted that the ICO is ‘presently stretched to the limit in dealing with the present workload’ when seeking to deal with complaints.
This does not mean that schools can be complacent, but it does mean that the stress levels of worrying about every breach, in respect of ICO fines, needs to be kept proportionate and in perspective. In giving evidence to the House of Lords’ Public Services Committee meeting, the Commissioner himself has emphasised a ‘revised approach’ where guidance should be used rather than fines. The logic is that fines simply take money out of stretched public services, which have already had a problem, possibly due to a lack of resources. The example cited was the approach with the recent DfE breach that did not result in a fine. More significantly, the Commissioner confirmed the importance of not letting GDPR worries interfere with safeguarding; he emphasised that: -
‘if you hold information about a child who may be in need of care or safeguarding who may be vulnerable and you tell an authority who can deal with the issue, you will not experience repercussions or fall foul of UK GDPR’.
The other main fear around GDPR was that of an emerging ‘claims culture’ with no-win, no-fee lawyers salivating at the prospect of suing schools. While we have not seen a large number of claims, we are definitely seeing more of them. Some solicitors have prepared proforma ‘pre-action protocol’ letters to send when any breach arises. It is important when this happens to inform insurers straight away. Overall, in practical terms, it very much feels like there is a more considerable risk of financial loss arising from these claims than there is of a fine from the ICO.
From the beginning, GDPR was rightly described as a journey, not a destination. The ongoing good practice remains important. I am still seeing breaches arising out of basic errors. These can include uploading pictures when consent has not been given and data not being properly disposed of, and while information-sharing platforms have many advantages, they pose inherent GDPR risks. The key, as always, is to build GDPR considerations into any system, and I often advise clients