The Information Commissioner's Office (ICO) has served the credit reference agency Equifax with a monetary penalty of £500,000 for global security failings in 2017 which compromised the personal data of 15 million UK data subjects.
Data Protection Advisor Jon Baines said "It is important that, because the failings in question were from 2017, the applicable law was the now-repealed Data Protection Act 1998, and not the General Data Protection Regulation (GDPR). £500,000 was the maximum "fine" available under the old law, whereas the maximum under GDPR is E20m or 4% of global annual turnover (whichever is higher).
Equifax will no doubt be smarting from this regulatory action, but also counting themselves fortunate that GDPR did not already apply, with its potentially much higher sanctions. The worldwide effect of the security breach involved 146 million people, and other regulators will be observing the ICO's action with interest.
It took ICO eight years to serve a maximum penalty under the old law – one wonders how long it will be before we see signs of the increased "fines" under GDPR emerging".