Farrow & Ball fined for faliure to pay data protection feeMay 8, 2019
They may make great paint and wallpaper but Farrow & Ball have been in the news for the wrong reasons recently after the Company was issued with a £4,000 penalty notice by the UK Information Commissioner. Farrow & Ball is a Data Controller and pursuant to the Data Protection (Charges and Information) Regulations 2018 it is required to pay an annual Data Protection Fee unless it can claim an exemption. The Data Protection Fee depends on the size of the organisation and fees range from £40 for a Tier 1 Organisation to £2,900 for a Tier 3 Organisation.
As a Tier 3 Organisation, Farrow & Ball should have paid a Data Protection fee of £2,900 however it failed to do so and was issued with a penalty notice of £4,000 by the ICO (the maximum fine being £4,350.00).
Farrow & Ball appealed the notice on the basis that its default was due to an innocent mistake and it argued that:-
• The ICO’s reminder was sent while the relevant Farrow & Ball individual responsible was on holiday;
• The reminder was not identified as important internally; and
• Farrow & Ball paid the fee promptly once the default was identified.
The First Tier Tribunal (Information Rights) (FTT) dismissed Farrow & Ball’s appeal and concluded that Farrow & Ball did not have a reasonable excuse for non-compliance. The FTT concluded that a reasonable Data Controller would have systems in place to comply with the Regulations and that Farrow & Ball pointed to no particular difficulty or misfortune which explained its departure from the expected standards of a reasonable Data Controller. Further, the FTT held that Farrow & Ball had not presented any evidence of financial hardship which could affect the penalty and therefore saw no reason to depart from the original assessment.
Whilst the level of fine will not make a significant dent in the profits of Farrow & Ball, the adverse publicity generated highlights the impact that an administrative error can have on a business. This case highlights that all data protection obligations must be taken seriously and organisations should ensure that fees are paid promptly and that any reminders issued by the ICO are actioned quickly.