A new study reveals how many businesses in the UK have been caught breaching GDPR regulations whilst working from home.
Data obtained through a Freedom of Information (FOI) request by confidential shredding and records management company, Go Shred, reveals that only four penalty notices1 have been handed out to UK businesses for breach of GDPR/ DPA 2018 regulations since they began working from home.
According to the information provided by the Information Commissioner’s Office (ICO) in response to the FOI request, between 23 March 2020 when the first UK lockdown was imposed and 13 January 2021, Ticketmaster, Marriott and British Airways were all fined for breaches of GDPR/ DPA 2018 legislation.
In addition to these, one further penalty notice was issued to Doorstop Dispensaries, relating to a breach of the GDPR but this fell just outside the timescales requested in the FOI request1. These four incidents represent all of the fines issued by the ICO under the GDPR between 23rd March and January 2021.
Investigations by the ICO into potential breaches of Data Protection legislation originate both from complaints made by members of the public and from reports made to the ICO by data controllers advising the ICO that a personal data breach has occurred in line with their obligations under the legislation.
Whilst the ICO is yet to release the annual report for the number of complaints received in the whole of 2020, taking a look at data from March 2019 to March 2020, data protection complaint casework finished in 2019/2020 was 39,860, a 15% increase on the previous year. 25% of this caseload finished with outcomes denoting a breach of the GDPR legislation.
The number of personal data breaches reported and completed by the ICO increased by 3% to 12,789 in 2019/20 compared to 12,385 in 2018/192. The sectors generating the most personal data breaches were health (19.66%), general business (17.16%) and education (14.11%).
Looking back at breaches and fines handed out since the GDPR regulations came into action in May 2018. The UK is in the top four countries in Europe in terms of the total value of GDPR fines imposed. Italy leads the way at £69,328,716, closely followed by Germany £69,085,000, France £54,436,300 and the UK £44,221,000.
This new study from Go Shred comes after a recent survey from the brand revealed that 66% of homeworkers in the UK have printed work-related documents since they began working from home, potentially breaching GDPR regulations by not securing confidential information. The survey revealed 20% have printed confidential employee information including payroll, addresses and medical information.
Over a third (36%) told Go Shred they are aware of the GDPR rules, so never print at home4 and a further 19% admit they have some knowledge of the regulations but would like to know more. But shockingly, 12% of those polled admit they have absolutely no knowledge of the regulations, with 9% saying their employer has not reinforced rules around GDPR and sensitive information while they’ve been working from home.
Mike Cluskey, Managing Director at Go Shred said: “From accessing work-related emails on personal devices to correctly disposing of confidential print outs, remaining GDPR compliant when working from home can be tricky but it’s essential to avoid penalties and potential data breaches.
”Our top tips to avoid any breaches would be to only use approved devices, conduct internal training with your staff to make sure they are aware of their responsibilities, take extra care with print outs and secure any paper documents which might contain sensitive information, avoid downloading any suspect files and only communicate in secure work environments e.g. not sat in front of a window or around people outside the organisation.
“We’re surprised to see that only four businesses have been fined for breaching GDPR regulations since beginning to work from home, but it is alarming to see that complaints and personal data breaches are on the rise compared to previous years.
“Companies of all shapes and sizes need to ensure GDPR compliance, whether you’re a startup or a well-established organisation, sticking within the existing guidelines is essential to avoid fines and reduce the risk of data breaches. We urge business leaders to look at their existing practices both online and offline and consider whether these are still working for their remote staff. Homeworkers should also take extra precautions to make sure they are doing everything they can to protect confidential data and information.”