These Policies Were Not Implemented

amina

Birth dates; education; countries of birth; genders; number of dependants; emergency contact information, and salary. The databases also held special category personal data including ethnic origin; religion; details of disabilities; sexual orientation, and health information relevant to ill-heath retirement applications. Interestingly, each of these items of information was not necessarily held for each of the 113,000 individuals, rather these categories of information were recorded in the relevant databases.

Under Article 33(1) GDPR an organisation is only obliged to be able to describe the approximate categories and number of personal data records when notifying the ICO which appears to have been the approach adopted by Interserve. Digest of executive list points to note in the MPN The MPN is littered with useful insights into the ICO enforcement and provides further detail around what the ICO expects with regards to the principle-based obligations in Article 5(1)(f) and 32 GDPR. We found the following points of particular interest: % of revenue. On the face of it, this is a sizeable fine issued to a non household name controller for perceived failings in information security.

Dig a little deeper and, in fact, the level of fine appears to be a relatively small percentage of Interserve’s last reported revenues (less than 1/5th of 1%). It is nevertheless a significant amount of money and the reputational damage arising from a public fine was also taken into consideration by the ICO when setting the fine. The fact that the fine is a relatively small percentage of revenues may indicate that the new ICO John Edwards, favours a less aggressive approach to enforcement than his predecessor Elizabeth Denham, at least when it comes to setting the level of fine. Lower fines are also less likely to result in successful appeals and tie up the ICO’s enforcement team with legal arguments. A key open legal question remains whether the correct maximum fine when calculating fines under the UK GDPR (NB this MPN was issued under EU GDPR) is either.