You may have missed the £120,000 fine awarded against the Kensington and Chelsea council for improper disclosure of the personal details of nearly 1000 residents. The illegal act wasn’t deliberate but as a result of ignorance of an individual. If you’ve got email marketing lists then beware.
For instance, the regulations around portable data are not the easiest to understand if you are not a data controller. There are a number of conditions attached to what you can and cannot supply following an individual’s request for portable data.
You should provide the personal data in a format that is structured, commonly used and machine-readable. These three standards are explained in the ICO website but unless you have a certain technical knowledge, not required in someone whose role is looking after your email marketing list, you might pass the function onto someone who is a bit of an IT whizz, at least compared to you.
One would assume that this person, or group, will be trained as to the care of personal data only to a fairly basic level as they process it irregularly. That’s no problem you might think. However, Kensington and Chelsea council might have another opinion.
The council had received Freedom of Information requests from three newspapers and supplied the information in the form of a ‘pivot table’, a form of Excel worksheet where information can be hidden. However, the recipients could reveal the information at a click of a mouse button.
The not inconsiderable fine could have been much higher as it was a serious breach of the data protection laws. However, some useful points here: the actions were not deliberate, the council reported the matter to the ICO without delay and put into place systems to ensure there would be no repetition.
Remedial actions which include methods to reduce the likely penalty makes good sense, but it would be better to ensure there is adequate training for every person involved in processing personal data. You could train a lot of staff for a fraction of the £120,000. Note too that the fine was under the old regulations and not the GDPR with is higher penalties.