Who’s looking after your data protection compliance?

Share This Post

In March 2019 a First-tier Tribunal was held between Farrow and Ball Ltd and the Information Commissioner’s Office (ICO). In its work to chase down organisations that are not paying the new data protection fee (as required by the Data Protection (Charges and Information) Regulations 2018 which came into force in UK law at the same times as the GDPR), the ICO contacted Farrow & Ball about their lack of paying the fee. The fee was never paid and so the ICO issued a £4000 fine for lack of payment which Farrow & Ball are dismissing as an oversight, due mainly because the contact the ICO had sent the notices too was on holiday.

The Tribunal found in favour of the ICO stating:

We have considered whether the Appellant [Farrow and Ball Ltd] has advanced a reasonable excuse for its failure to comply with the Regulations. We conclude that it has not. We conclude that a reasonable data controller would have systems in place to comply with the Regulations and that the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller.

And regarding the fine:

Having regard to the relevant principles, we note that the Appellant in this case has not presented any evidence of financial hardship which could affect the penalty. We find it difficult to see how the reduction of the penalty could incentivise the Appellant to greater compliance in the circumstances of this case, where human error appears to have been the main factor. We see no reason to depart from the Respondent’s [ICO’s] assessment of the appropriate penalty.

Data protection doesn’t take a day off!

Whilst on the face of it, this is a lesson to everyone to pay the ICO’s data protection fee (the ICO’s guidance on it is here) the key takeaway is, as the ICO puts it, “Data protection doesn’t take a day off“. The key argument for missing the data protection fee (which Farrow & Ball have now paid) was that the person the notice was sent to was on holiday and therefore it was missed. The Tribunal recognised this as “human error” but at the same time that this was not a “reasonable excuse“.

The same argument can be said about any aspect of data protection. Being on holiday or not having the time to deal with a data breach (and the GDPR requirements) or a subject access request is unlikely to be an adequate excuse, and if your data protection person is off or unable to help, who’s advising the team about any other data protection issues that may arise? Could they be making their own (ill-advised) decisions?

So, who’s looking after your data protection compliance when you’re on holiday?

We’ve always said that even if you’re not mandated to have a DPO (Data Protection Officer) by law, you should at least appoint someone who takes responsibility. But it goes further than that, you want to be sure data protection is upheld whether your data protection lead is in the office or not, including “in emergency” cover. That’s where outsourcing data protection compliance can be really useful as you’re replacing your data protection lead with someone you’re paying to always be available or using them as backup when your data protection lead is off work for whatever reason.

These are just some of the reasons we offer outsourced data protection support either via our Hub advice line or outsourced DPO service (whether mandated or not) – we get to know your business so we can support your business when you need help the most, be that in an emergency or when your data protection lead (or internal guru) takes a break or is off sick. Contact us to find out how we can help support your business.

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy