Data Protection Fine – Data Quality Not Fine

The Data Protection Commission this week published a decision in relation to the erroneous updating of 15120 credit history records relating to people who had completed their loan and had no active borrowings. This update had the effect of changing key data in their record so that it appeared they had outstanding borrowings even where the loans or credit facilities had been paid off years before. Of these records, just over 1000 were issued to lenders as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The result is a data protection fine for a data quality problem.

The cause of the issue was a software update that removed key business rules. The root cause of that issue was a failure on the part of the ICB to have appropriate data governance controls in place in respect of the development, testing, and deployment of software changes so that the integrity and accuracy of personal data was ensured.

While the incident was handled by the ICB as a data breach and was reported to the DPC as such, the DPC’s investigation focussed on the application of Data Protection By Design/Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a Joint Controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.

Ultimately, this was a Data Quality and Data Governance issue that triggered a Data Protection problem and impacted on at least a thousand households in Ireland.

The Fine

The Irish Credit Bureau (ICB) was fined €90,000, which was reduced from €220,000 on consideration of various mitigating factors.  Given the impact on the lives of people who were denied credit on the basis of the information disclosed by the ICB, arguably the fine should have been higher. For individuals who were denied credit and suffered a non-material loss as a result, this decision will provide them with significant ammunition in litigation under Article 79 GDPR if they so wish.

The objective of the administrative sanctions regime in the GDPR is to ensure organisations implement compliant processing activities and controls. Fines are required to be appropriate, . They are not required to be punitive, and it can be argued that a punitive fines regime could be counter productive as regards organisations self-reporting incidents to the Regulator.

Factors considered by the DPC in calculating the Fine

It is worth examining the logic of the fine for a moment as it is illustrative of the logic the DPC will apply when calculating fines. Firstly, the DPC considered the failure to implement appropriate Data Protection by Design controls to be serious. Also, the failure to maintain records of testing (test cases, test outcomes etc.) was considered problematic as it prevented the DPC from assessing the adequacy of that testing. The DPC also considered the level of impact to the 15000 people whose data had been altered, as well as the 1062 people whose data had been disclosed and decisions made on the basis of it. The DPC did not accept that there was minimal impact to the data subjects. They also found that there was a potential for high cumulative impacts and economic disadvantage arising from the error. The DPC also considered the duration of the incident which was just over two months, but as it straddled the GDPR implementation period, the DPC could only apply GDPR rules for half of that time period.

The DPC also found that the ICB was negligient in its approach to Data Protection by Design and the development and implementation of internal controls and governance over software changes. This is a very significant finding that organisations need to pay very careful attention do. The failure to maintain appropriate records of systems design, changes, and testing robs the organisation of a defence against a finding such as this.

Other factors the DPC took into account as positives were the speed with which the ICB fixed the issue once it was identified and their action in asking lenders to contact affected data subjects. The DPC also noted that the ICB hadn’t had any similar incidents before. Perhaps I am old, but I do remember issues with data accuracy in a number of pre-GDPR case studies (here, here, and here)

Relevant Data To Consider in the Calculation of the Data Protection Fine

The DPC had proposed a fine of €220,000 initially. This was proposed for a breach of Article 25. The maximum fine for an Article 25 breach is €10 million or 2% of turnover, which ever is higher. The DPC’s published decision has redacted the turnover figure that was provided by the ICB for 2020, and a check on the Companies Registration Office website shows that the ICB hasn’t filed accounts since 2019 (which is a company law issue). Their last available published accounts (up to 2018) reported a turnover of €6.2 million, with net assets of €4.5 million. I find it interesting that the DPC made a point of having to have “regard to the up to date economic situation of the ICB”. Given the non-filing of accounts since 2018

2% of that €6.2 million (the ICB’s turnover in 2018) figure is €124,000. So, the DPC’s original proposed fine of €220,000 was actually 3.5% of the 2018 turnover of the ICB. Still short of the €10 million, but not at an existentially threatening level that would cause an organisation to immediately appeal the decision. Also, the ICB hasn’t published its turnover figures for 2019 or 2020, and the DPC  Bear in mind that the goal of fines under GDPR is to promote compliance in a proportionate and effective way and the DPC needs to establish a good body of decision making precdent.

The fine was reduced by €25k because the ICB had no previous infringements under GDPR (I’ve noted above that the whole area of credit reference agencies has had historic issues). The actions taken to mitigate harms to data subject were worth €55k, and the fact that the ICB adopted new processes and procedures to address the non-compliance reduced the fine by another €50k.

So, not a repeat offender, taking quick action to mitigate harms, and taking steps to remediate the identified issues all contributed to reducing the fine by €130k. There is a a LOT to be said for passing the “attitude test”.

Other Significant Data Protection Findings

The DPC’s finding that, despite the ICB relying on others for the data that they import and process, they still have an obligation to ensure that they have appropriate controls in place to give effect to the Accuracy principle.  This means that organisations need to look at their information value chain and ensure that they are implementing data quality controls to identify instances of innaccuracy and respond to defects when they are identified.

Given the findings from research carried out by UCC/IMI and Dr Tom Redman that less than 3% of organisations have data that meets basic data quality standards, that suggests that a lot of organisations need to start upping their game from a Data Protection by Design and Governance perspective. Poor data quality costs organisations on average between 10% and 30% of turnover.

When an organisation is considering the business case for data quality, particularly where personal data is involved, the DPC’s decision gives a cost of 3.5% of turnover just for regulatory fines.

How Castlebridge Can Help

Castlebridge has extensive experience helping organisations diagnose, assess, and address their data quality challenges. We help you identify the cost of non-quality to your organisation and develop a prioritised roadmap to prevent loss, address costs, and deliver value.

We are also running a half-day seminar next month on Measuring and Improving Data Quality where our award winning CEO and data quality pioneer Daragh O Brien will take delegates through a discussion of the strategic value of data quality measurement for organisations.

Also check out our blog posts on GDPR Fines and a breakdown of the offences under GDPR, and my blog post on the first fines the DPC issued under GDPR against TUSLA (from almost exactly a year ago.