When it comes to data protection compliance the (Farrow &) Ball is in your court
Recent enforcement action against well-known paint and paper specialist, Farrow & Ball Limited, provides a timely reminder of the need to keep on top of data protection compliance, writes Kitty Rosser, senior associate, Birketts LLP.
The enforcement action in this case related to non-payment of the annual data protection fee. Data protection fees are payable under the Data Protection (Charges and Information) Regulations 2018 which came into effect alongside the GDPR on 25 May 2018.
Given that these fees directly fund the work of the Information Commissioner’s Office (ICO), it is perhaps not surprising that the ICO takes a hard line on enforcement.
Organisations must determine what fee tier they fall within each year based on their annual turnover and number of employees, with fees currently set at £40 for micro organisations, £60 for SMEs and £2,900 for large organisations.
Organisations whose data processing activities are particularly limited may be exempt and exceptions are available for public authorities, charities and small occupational pension schemes.
As a Tier 3 organisation (indicating an annual turnover exceeding £36 million and/or more than 250 employees) Farrow & Ball Limited is required to pay an annual fee of £2,900.
After failing to make the payment, the company was issued with A Notice of Intent by the Information Commissioner’s Office. Farrow & Ball Limited failed to respond to the Notice and a Monetary Penalty Order and the sum of £4,000 was duly issued.
Farrow & Ball Limited appealed to the Monetary Penalty Notice to the First-Tier Tribunal. The company submitted that its non-payment of the data protection fee was an innocent mistake and asked that the £4,000 penalty be waived.
In support of its position, Farrow & Ball Limited argued that:-
- The reminder from the ICO was sent whilst Farrow & Ball Limited’s representative was on holiday
- Further reminders should have been sent
- Correspondence from the ICO addressed to the company secretary was not recognised as important internally
- The ICO was contacted promptly once the error was noted and the data protection fee paid immediately
- The company had learned from its mistake and put procedures in place to ensure that there would be no repeat of the breach
The Tribunal was unconvinced by the arguments put forward by Farrow & Ball Limited and found in favour of the Information Commissioner, upholding the Monetary Penalty Order.
In reaching its decision, the Tribunal noted that Farrow & Ball Limited had not advanced any reasonable excuse for its failure to comply with the regulations and observed that a reasonable data controller would have systems in place to ensure compliance.
The Tribunal held that Farrow & Ball Limited had not been able to point to any particular difficulty or misfortune explaining its departure from the expected standards.
This is not the only example of recent enforcement action by the ICO in respect of data protection fees. Between September and November 2018 the ICO issued over 900 Notices of Intent to organisations for non-payment of the annual fee, resulting in over 100 fines of up to £4,350 each. However, this case is of particular interest because of the Tribunal’s response to the arguments put forwards by Farrow & Ball Limited.
The Tribunal’s comments serve as a timely reminder to all organisations that they must:-
- Take a proactive approach to compliance requirements through implementation of proper processes and procedures
- Ensure all staff are sufficiently trained so that they are able to recognise the importance of matters concerning data protection compliance
- Respond to any communication from the Information Commissioner’s Office promptly and in accordance with any deadline set
Birketts’ Data Protection team provides data protection training as well as legal advice. If you require advice in relation to data protection disputes or would like to discuss your training requirements call Kitty Rosser on 01603 756559 or email: kitty-rosser [at] birketts.co.uk