ICO - to report or not to

[GDPArrrghhh]

Name changed for obvious reasons... I did write a thread on this about a year ago... However - long story as short as possible.
A while ago a company that I did some work for erroneously passed by bank details, email address and phone number to a third party. Without going into long winded details - the upshot has been that I’ve paid tax on an amount that this has caused me hassle - nothing too serious but irritating ended up with me asking to remove all my details from their company database etc. It’s a bit more complex but don’t want to bore.

Anyhows, yesterday I am copied into an email trail - again they have passed my email address on, for a second time to the third party company.

Despite me asking several times how the original breach happened and also what they plan on doing to tighten up their processes - nada.

So I get a call (finally) today from the ceo after threatening to report to ICO. A vague apology etc and I pointed out that they have at least twice passed on my data without my consent, habe not deleted as requested etc. CEOs answer was all very “well I don’t really know much about all that so if you want to sue us go ahead”. I tried twice pointing out that I wouldn’t be suing - and it wasn’t for my benefit (not about compensation - they’d possibly be fined).

He was so dismissive - and very much “well it’s a human error and these things happen”. I get that once is - but this series of fuck ups isn’t human error - it’s a total disregard for data protection and his attutude was very much “well I don’t know about this stuff so I’m going to ignore it”.

I’m tired of the whole thing and basically tempted to leave it - but Aibu to report it?

Oh and before anyone asks - it’s not a small business

I hit yabu by mistake
Report to the ICO!!!!! They need to learn the hard way

I’d report it. GDPR is there for a reason, and it sounds as though you’ve given them ample opportunity to respect their obligations.

I think whether you are being unreasonable or not depends on whether the tax was due and payable or not - and why they passed on your details. So its hard to know without more info. For example, they could rely on legal obligation or legitimate interests, depending on why they did it. It isn't always a breach of GDPR to share info without consent.

@dragonflyInn that’s how I feel - absolutely flipping exasperated. He was just so dismissive. Just oh “the new girl did that” and “well I don’t know about these things”.

Definitely report it. They need to take data protection very seriously and it certainly doesn't sound as if they do.

If the CEO didn't know that the issue had been raised before and that you'd asked for the data to be deleted then he should have investigated. He needs to find out how the breach occurred and put procedures in place to ensure it doesn't happen again. To tell you to sue was bloody rude of him. He obviously doesn't care. He deserves to be fined.

I would also contact 3rd party in writing and ask them to delete the details from their records and send you written confirmation that they have done so.

Totally report, if only because of his attitude. I think they’re supposed to self report once they’re made aware of a breach anyway. Be helpful and do it for then just in case they forget

@Shamoo the passing of my details was a bona fide breach. I didn’t want to be too long in my first post but - basically they filled in a form for a refund from a supplier - and somehow rather than putting their own bank details on it - put on mine (someone for some reason had my details to hand at the time - I am guessing post it note on a desk).

I think I remember your original post! I can't believe it's still going on, they've had ample opportunity to tighten up practice, you've been more than patient. Report them.

Definitely report to the ICO.

I’m going through something

I think the funniest thing was - at the end of the call he asked “can I have your address so I can send you an apology” - I laughed and said “there is absolutely no way I’m sharing any more information with you”!

@LionelRitchieStoleMyNotebook yep been going on for about a bloody year.

Also make a subject access request (to demand copies of all information they hold containing your personal data). That will cause them endless amounts of hassle. If you consented to them processing your personal data then revoke it and demand they delete all the personal data they hold on you (under the right to be forgotten); assuming you no longer use their services.

Definitely report then - sounds like its the only way they will start to take it seriously!

I'l be the only legit YABU voter, then. It reads like you just want to punish them so you canhave emotional satisfaction of causing them difficulties. I can't laud that.

@WinniePig already started drafting it - tbf I imagine that failure to respond to an SAR will just be added to the complaint. I doubt they’d be fined much but may give them much needed kick up the arse.

@iljkk not in the slightest - I’ve given them a year and ignored the original issue - it’s this second breach and the completely blasé response that’s got me thinking about it. As I mentioned this isn’t a small business.

sorry @lljkk

@GDPArrrghhh You can, but don't expect much. A bank gave my abusive ex my phone number and address "by mistake" while writing to me to confirm that they wouldn't disclose that information. The account that they were investigating was fraudulent anyway... I had to spend eight nights in a hotel as the police advised, change my phone number and move house.

It took the ICO from March to October to investigate, and they decided that "although the breach was entirely avoidable and the communication from the bank dismissive and unfortunate, no further action is required".

I hit YABU by mistake 🙈 YADNBU! Report!!

@AnchorDownDeepBreath I remember your thread that is horrific

@AnchorDownDeepBreath did you ever consider bringing a civil action against them? derails own thread

I’m a Data Protection Consultant and have to say I’m rather shocked by the CEO’s response. You’ve indicated that they are large company who are no doubt processing large volumes of personal data. EVERYONE in their company should be aware of their requirements under the DPA/GDPR... if the CEO doesn’t, what hope is there for the rest of the staff. They have failed not once but twice to protect your personal data and to respond appropriately to a data breach by putting steps in place to prevent a recurrence. I would strongly recommend reporting your concerns to the ICO. From what you’ve described, the breach doesn’t meet the threshold for a fine to be imposed, but the ICO can certainly investigate and advise them of steps to ensure compliance.

@pammy it was shocking - he even tried “well as far as I know gdpr didn’t apply at the time” (it was last November). You’ve made me more confident in reporting as this really isn’t about the fine it’s about the training to me.

They are a b2b business as opposed to pure customer facing so am guessing that thinks it doesn’t apply.

Report. They don’t seem to take the system seriously and dont understand their responsibility.
They soon will once you report them. And it will help others so it’s good.