People at desk

One of the key features of the General Data Protection Regulation (GDPR) is the level of fine that may be levied against an organisation for failing to protect the personal data it controls. The current maximum fine is set at 4% of global annual turnover or €20m, whichever is the higher.

Both British Airways and the Marriot Hotel chain are already under notice from the Information Commissioner’s Office (ICO) that they face penalties of £183m and £98m respectively for infringements which leaked details of their customers. Now we have the Government in trouble for inadvertently publishing not only the names of those receiving honours in the New Year’s Honours List but also their addresses.

Having regard to the serious nature of this breach and the number of people affected, it seems inconceivable that a very red-faced Government Department will not now face an extremely high fine. Assuming that in due course such a fine is levied, it might be thought that the money will be going around in a circle, i.e. straight into the coffers of an organisation set up by (although independent of) the state. However, there is also the risk of a large number of claims against the Government by those individuals affected by the breach, many of whom may have genuine fears for their safety or that their privacy is put at greater risk than before.

This has been a very high-profile event but the signs are that it arose for no other reason than that a Government employee made a simple but avoidable mistake. As we enter a new decade it is a stark reminder of the great care that must be taken by any organisation, however large or small, when handling personal data. A simple error may prove extremely costly.

The Brexit Withdrawal Bill expressly preserves the GDPR in UK domestic law during the transition period and its provisions are likely to be maintained in future legislation. This is not a problem area for businesses that is going to go-away.