Mermaids charity fined £25,000 after GDPR staff training error

The UK charity Mermaids has received a £25,000 fine from the ICO (Information Commissioner’s Office) after an internal error led to a widescale data breach.

Following an investigation, the data protection body found that Mermaids had established an email group with insufficient security settings.

As a result, hundreds of pages of confidential emails were visible online for nearly three years. They included information relating to 550 people, with names, email addresses and, in some cases, health information available for anyone to view.

24 people had sensitive details about their emotional state revealed, while 15 others saw their sexual orientation and details of their mental and physical health exposed.

What went wrong?

The ICO discovered that Mermaids had inadequate data protection policies and failed to conduct effective staff awareness training.

It also noted that Mermaids’s staff and volunteers received mandatory data protection training in December 2018, which is updated annually, but that training was “inadequate and/or ineffective”.

This suggests that the training either didn’t cover the effective use of email, which would have prevented this incident, or it didn’t adequately tackle the topic.

The ICO’s director of investigations, Steve Eckersley, said Mermaids “should have known the importance of keeping personal data secure” from its position as an established charity.

He added: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.”

Of course, it’s not only charities or those that process information related to sensitive issues that need to be concerned; under the GDPR (General Data Protection Regulation), all organisations are required to have effective staff awareness training programmes in place.

This needn’t be a huge, complex endeavour. In fact, if you use a third party such as GRC eLearning, it couldn’t be simpler.

Our e-learning courses will give your staff comprehensive, expert training that will help them keep your organisation’s data secure.

Get started today with our GDPR: Email Misuse Staff Awareness E-Learning Course, and join the 800 organisations already using our courses.

learn more