Equifax fined £500,000 by ICO due to data protection breach


An enormous privacy breach by Equifax, one of the largest consumer credit reporting agencies in the UK with over 800 million individual consumers, leads to the company being charged the maximum possible fine under UK law (£500,000) that preceded the General Data Protection Regulation (GDPR) by the Information Commissioner’s Office (ICO) due to failing to protect the personal data of approximately 15 million Brits during a massive data breach in 2017.

The fine today would be even higher and in the context of this and the recent UK Tory party’s failure to protect private details of its members through its app including for ministers, it is interesting to consider how the GDPR will impact the finance community. The press revealed over the past weekend that the Conservative Party faces a possible fine of up to £2m after its software app for conference delegates exposed personal data of thousands of MPs and attendees. [Source]

An investigation that was carried out by the ICO and the Financial Conduct Authority (FCA) [20 September 2018] found that Equifax violated more than half of the UK’s applicable data protection principles. The breach did not only cause the loss of personal information, but it was also found to undermine consumer trust in digital commerce. Equifax received the £500,000 fine because of the high number of victims in this breach as well as not adhering to its own policies and controls and the UK law on data protection. [Source]

As mentioned above, the GDPR did not apply in this case because the Equifax breach occurred in 2017 before the GDPR came into force. Instead, it was subject to the UK’s 1998 Data Privacy Act. Any breaches that have either happened or lasted until 25 May 2018 onward, organisations handling EU individuals’ personal data are obliged to comply with the GDPR and the UK Data Protection Act 2018, which includes new requirements and stricter rules in regard to processing and storing personal data.

As Equifax shows, the fines will be pretty significant. The regulatory bodies, not only in the UK but in all EU countries, can and will enforce the new rules without any delay.

The scope of the GDPR is very broad, which is often underestimated. It covers almost everything we do. Therefore, it is crucial to ensure that your Firm has all the policies and procedures in place that are required to be compliant with the GDPR. If you need assistance with the GDPR, we have created an easy-to-use, all-encompassing Impact Assessment tool to help you evaluate your GDPR compliance and any potential areas that could be non-compliant. We have also created Template Policies that you can independently customise to make sure your Firm’s policies are aligned with the GDPR. The policies can be stored and any changes audit trailed within Laven’s Digital Compliance Assistant (DCA) software.

To purchase our Template Policies and Impact Assessment tool, click here.

For further information about the GDPR and our services, click here.

Our solutions will ensure that monitoring is efficient and will help you to protect your Firm. Click here to contact us.

Regulatory Hosting

Laven offers a UK regulatory hosting platform which provides clients with the opportunity to conduct regulated activities as an Appointed Representative (AR).


Follow us on LinkedIn for company updates and the latest news.

Recent articles