Last month, the Data Protection Commissioner (DPC) issued a fine of €463,000 against Bank of Ireland (BoI) for repeated personal data breaches affecting data that was being transferred to the Central Credit Register (CCR). 

The fine could have been, and arguably should have been, much higher at €52.4m. 

The personal data breaches did not arise from a hacker but from fundamental failings in data quality controls and processes resulting in wrong facts being recorded in the CCR.

The DPC’s decision focusses on the delays in reporting the personal data breaches to the DPC and to the affected data subjects. 

However, in doing so, the DPC gives consideration as to whether inaccurate data or errors in transcribing data from an original source to a new process could constitute a “personal data breach” under GDPR. 

The DPC has determined that it would.

Accuracy and integrity of data

In my opinion this is a scenic route to the right conclusion, as the DPC could equally have addressed this as a simple question of whether the bank had appropriate controls to ensure the accuracy and integrity of data being processed and a legal basis for certain processing.

The impact on individuals of having incorrect data about their financial position can be significant, with the potential to impact employment, home buying, or investment in business. 

At the macro level, CCR data is shared with the Central Statistics Office (CSO); errors in the CCR may result public policy being based on duff data. 

As such, it is essential that the quality and accuracy of data in the life cycle from credit application to reporting to the CCR and beyond is above reproach.

BOI now faces the inevitability of litigation from affected people now armed with a DPC decision to bolster their case that the bank’s negligent processing had an impact on their rights. 

Other lenders will doubtless have similar issues. It would behove them to take stock now, review their processes, and ensure that loan information provided to the CCR accurately matches the actual terms of loan agreements and to take prompt action to ensure that errors, and the root causes of those errors, are addressed.

As individuals, we have the right to access data relating to us that is held by organisations such as banks or the Central Credit Register. 

We have the right to have errors in that data corrected, but above all, organisations that process data relating to us owe us a duty to ensure that they have appropriate organisational controls in place to ensure the accuracy and integrity of that data, particularly where it is being shared with or disclosed to other parties.

The DPC decision in relation to BoI may represent the tip of the iceberg; the comparatively low level of fine imposed is a factor of the route taken to the investigation. 

The fines are not for the data quality problems, but rather for the delays in reporting and notifying the existence of the problem. 

Arguably, had the DPC chosen in their inquiry to look at the fundamental issue of data accuracy and the absence of appropriate organisational and technical controls to ensure that data was ‘fit for purpose’ and accurate, the fines might have been higher.

However, high fines do not necessarily drive changes in behaviour, much as we might hope they would. 

The importance of data quality

What is required is awareness both within organisations and within wider society of the importance of data quality, particularly where that data describes or relates to individuals and could result in decisions being taken which have a serious impact on people. 

What is needed is a recognition in organisations of the high and hidden cost of poor data quality management.

In 2017, University College Cork researchers found that less than 3% of Irish organisations have data that met basic data quality standards, representing an average hidden cost of between 10% and 30% of turnover. 

The DPC decision makes clear that duff data represents a GDPR risk to organisations of all sizes, not just financial institutions.

Data Quality matters.

• Daragh O Brien is the founder and MD of Castlebridge (www.castlebridge.ie), one of Ireland’s leading data strategy and governance consultancies. He advises organisations of all sizes on data quality, data governance, and data strategy. He lectures in UCD School of Law and Law Society of Ireland on Data Protection and Governance.