If your company fucked up with a data breach how much tea and sympathy do you think the ICO would have for you before imposing penalties?
If your company fucked up with Google how much tolerance do you think they would have before imposing penalties?
If you bought a product from a retailer and there was something wrong with it, would you go direct to the supplier or expect the retailer to sort it?
All very much rhetorical questions, yet it seems that the ICO which is supposed to have the teeth and powers of the GDPR have decided that both 'Google' and the IAB (Interactive Advertising Bureau) can play by their own rules.
“The ICO doesn’t have a culture of enforcement and doesn’t want to be seen as a bully,” said a data privacy expert who wished to remain unnamed. “They’ve acted like the friendly industry regulator and threatened fines if things don’t change, but it’s clear that some companies have called their bluff in the belief nothing will happen.”
I'll let you read the article in the link below but this type of thing has a tendency to piss me off - just like certain banks were too big to fail it seems certain companies can apply for special treatment when it comes to abuse of consumer data.
If a data breach causes an organisation to lose just 1% of its customers it will cost the business on average $2.8m (£2.1m), according to the IBM 2018 Cost of Data Breach study. Lose more than 4% of the customer base and the cost is closer to $6m (£4.7m).
Last year a host of brands were left picking up the pieces after high-profile hacks and IT errors. A failed IT migration cost TSB £330m, caused 80,000 of its customers to switch to rival banks and forced the resignation of its CEO Paul Pester.
The bank spent a total of £125m on customer compensation, £49m to cover fraud and operational losses, £122m to fix its tech systems and £34m in lost income due to waived fees and charges.
“The ICO is understaffed, and even when there is a clear violation like a breach, the lack of resources means it is common to give companies extra time to ‘fix’ their violations instead of handing out fines,” Guarnaccia said. “All of this is contributing to the general wait-and-see stance that some companies may be taking regarding GDPR.”