Bounty Pregnancy Club has been hit with near-maximum £400,000 fine by the Information Commissioners Office (ICO) for not being “open or transparent” with people about the fact their personal data may have been passed on other organisations.
The breach related to illegally selling personal details of more than 14 million parents to credit reference and marketing agencies.
Bounty shared approximately 34.4 million records between June 2017 and April 2018 and the personal information shared included personal information about mothers-to-be and that of young children.
It could have been worse had the offence taken place after 25 May 2018 when the EU’s stricter General Data Protection Regulation came into force. However because the offences occurred before GDPR came into force, the breach was dealt with under the Data Protection Act 1998, which has a maximum fine of £500,000. The GDPR and the DPA2018 gave the ICO new strengthened powers. Since 25 May 2018, the ICO has the power to impose monetary penalty of £17million (20m Euro) or 4% of global turnover.
This serves as a warning that data protection is still a live issue and the ICO will fine companies for “unprecedented” breaches like this. It should serve as a timely reminder to companies to check their privacy policies to make sure they share as much information as possible as to who, if any, information may be shared with. The ICO investigation reports that Bounty’s privacy notices on its website had a “reasonably clear description of the organisations they might share information with”, but that none of the four largest recipients were listed.