What five data breaches of 2023 teach contractors keen to not fall foul of the ICO and GDPR in 2024

2023 was a landmark year for GDPR enforcement in the UK, bringing crucial lessons for freelance tech contractors navigating the data protection landscape, write Evane Alexandre and Ines Ben Hassine of Gerrish Legal.

But as technology intertwines more deeply with both business and our professional lives, understanding the cases that went before the Information Commissioner’s Office (ICO) and failed, is not just about legal compliance – it's about safeguarding the trust and privacy of your clients and partners.

Five GDPR breaches of 2023 with very clear learnings for contractors

Here, exclusively for ContractorUK, we’ll break down the key GDPR breaches that occurred in 2023, on the back of the contractor sector’s very own breach featuring Optionis (now Caroola).

We’ll also delve into the Information Commissioner’s Office’s responses to such breaches, and share some practical insights containing a few vigilance points for 2024.

1. HelloFresh’s email overreach

Grocery Delivery E-Services UK Ltd, trading as HelloFresh, faced a substantial fine from the ICO of £140,000.

The UK’s data watchdog penalised the company for sending an overwhelming number of spam emails and texts – 79 million and 1 million, respectively, over seven months.

The takeaway for contractors from the HelloFresh case? It underscores the critical nature of adhering to GDPR’s consent and communication regulations.

2. Security lapses at Finham Park Multi Academy Trust

The ICO reprimanded Finham Park Multi Academy Trust for inadequate cybersecurity measures.

The absence of robust account lockout and password policies led to unauthorised access to the Trust’s systems

The learning for contractors from the Academy case? It demonstrates the need for stringent security protocols in data protection.

3. Unwarranted texts by Daniel George Bentley / Taipan Trading Ltd

In a breach involving direct marketing, Daniel George Bentley, the director of Taipan Trading Ltd, was found to have sent over 2.5 million unsolicited marketing text messages.

The message for contractors from this unsolicited SMS case? It points to the crucial aspect of obtaining proper consent for marketing communications under GDPR.

4. Data accuracy issues at Bank of Ireland

The Bank of Ireland was called out by the ICO for failing to ensure the accuracy of customers’ loan default data, leading to incorrect personal information being recorded.

The interest for contractors in the bank’s case? It highlights GDPR’s emphasis on the accuracy and quality of stored personal data.

5. Privacy misstep by Charnwood Borough Council

Charnwood Borough Council received an ICO reprimand for a serious privacy misstep – disclosing a data subject's new address to an alleged perpetrator of domestic abuse.

The danger for contractors this case highlights? It underlines the need for sensitivity with personal data handling, and the need for discretion and security in data processing.

As we’ve seen from these diverse data law infringement cases of 2023, GDPR breaches can arise from a range of issues – from inadequate security measures to improper data handling.

For contractors, these cases are a stark reminder of the potential pitfalls in data management and the importance of rigorous adherence to GDPR standards. Each instance offers valuable lessons on what to avoid and how to better align practices with GDPR requirements.

Moving beyond the breaches themselves, it is crucial to understand how the ICO has responded.

What are lessons to learn from these five GDPR breaches?

It seems that the ICO has operated in line with its “ICO25 Transformation Programme”, which had set a number of challenges and objectives to achieve by 2025 – including the office’s focus on data subjects’ rights.

Both the ICO25 Transformation Programme and the Strategic Enduring Objectives for the years 2022-2023 had thus emphasised the importance of ensuring that data subjects understand their rights – and are allowed to exercise them.

It is therefore no surprise that one of the main vigilance points for organisations is to ensure they have appropriate internal policies and processes to answer data subjects’ requests.

Indeed, here’s a reminder -- the UK GDPR grants data subjects numerous rights – including the right to ask organisations for a copy of their personal information, including where they got their information from, what they are using it for, and who they are sharing it with.

How quickly do data-controllers have to honour data subjects’ requests?

Such requests must be honoured within a month (or two months in case the request is complex, or the data-controller receives numerous requests from the data subject).

Moreover, it is important to keep in mind that information must be provided in an accessible, concise, and intelligible format – and that in most cases, you cannot charge a fee to deal with a request.

As flagged in the first part of this article, the ICO has also been very active regarding marketing communications, which remains a recurrent issue in the data privacy practices.

Marketing matters massively to the ICO, in terms of GDPR compliance

To companies, this highlights the importance of having clear and comprehensive guidance on direct marketing, e-marketing rules and requirements under the GDPR, plus on the relevant e-privacy laws, such as the Privacy and Electronic Communications Regulations.

As a quick reminder, organisations are required to obtain the prior consent of the recipients when sending SMS/MMS marketing messages in a B2C context.

Moreover, consent for e-marketing should also be required and must be extremely clear and specific. Organisations should keep clear records of the individuals who have consented to receive such communications, in order to ensure that those who have opted-out are not contacted further and to demonstrate compliance in the event of a complaint.

Consent, context, and contact details

In a B2B context, organisations are not required to obtain the prior consent of the recipients.

However, in his context, they are still required to identify themselves and provide contact details.

Additionally, it is recommended that companies keep a ‘do not email or text’ list of any businesses that object or opt-out.

Another common issue that the ICO has had to deal with last year has been the unlawful disclosure of personal data. It has been noted that a lot of organisations did not have appropriate processes and policies in place, or adequate staff training – which has led to numerous penalties.

Start as you mean to go on in 2024, with a GDPR compliance review

A New Year’s resolution for your contractor company or your end-client organisation could be a review of all data protection policies, procedures and guidance, and setting up adequate training for staff responsible for handling personal data.

Additionally, remember to check technical and organisational measures in place to ensure data security and confidentiality.

What about UK data compliance for your new contractor project, app or website?

Finally, if you are planning to develop a new project, whether you are introducing a new product or service on the market, or launching a new app or website, we recommend you apply data protection by design and default principles. These principles should guide the development and deployment of your new project.

This means that you should both (i) implement technical and organisational measures at the earliest stages possible in order to safeguard privacy and personal data from the start; and (ii) ensure that personal data is processed with the highest level of privacy protection. In practice, we suggest you assess from the very beginning of your project whether personal data will be processed, and if so which personal data, for what purposes and ‘how’ (i.e. the method and means of data processing).

Top five ICO enforcement focuses / areas of interest in 2024

While the ICO’s priorities for 2024 have not yet been disclosed, experts believe the authority has hinted at new areas of regulatory focus for 2024. The five we expect to top its agenda are:

1, AI services in recruitment

This focus from the ICO this year can be inferred from the ever-rising AI-powered hiring methods such as automated CV evaluations.

It is crucial to recognise that the lack of human oversight and the possibility of errors, when judgments are based solely on automated processing, could constitute a threat to data subjects’ human rights. Data protection authorities all over the globe will be carefully monitoring those services.

2. Safeguarding children’s data

This area remains a persistent concern of the ICO.

3. Financial services industry, notably its technological usage and advancements.

4. Extraction of mobile phone data, chiefly in criminal investigation cases by the criminal justice system.

5. More of the same

By ‘more of the same,’ we mean that what the Information Commissioner’s Office heavily focused on in 2023, so safeguarding data subjects’ rights, policing marketing communications, and insisting on excellent data security and 100% confidentiality, probably will only intensify in 2024. Contractors, you’ve been warned!