Safeguarding the right of data subjects: Bounty’s data breach case study

Reading Time: 3 minutes
Data Breaches


Trilateral Research |

Date: 11 April 2019

The Information Commissioner’s Office (ICO) has handed Bounty (UK) Limited (Bounty) a large fine of £400,000 for illegally sharing personal information belonging to more than 14 million people.

Bounty is a pregnancy and parenting club which promotes products and services such as Free Packs on the Bounty App via a website and its App. It collects and processes personal information for the purpose of membership registration, claims cards for merchandise.

Bounty was in breach of the previous Data Protection Act 1998 by sharing personal information with a number of third-party organisations without providing sufficient transparency to data subjects of its intentions to do so.

The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky. Because the unlawful data sharing ended before the introduction of the General Data Protection Regulation (GDPR) the fine levied against Bounty was capped at the previous maximum of £500,000. However, it is still one of the largest issued under the old regime and is comparable with both the Carphone Warehouse and TalkTalk fines for data breaches in 2015. Under the GDPR, for a company with the turnover of Bounty, the potential fine would be up to £17m.

Steve Eckersley, the ICO’s Director of Investigations, said:

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.

Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”

The investigation found that for online registrations, Bounty’s privacy notices had a reasonably clear description of the organisations they might share information with, but none of the four largest recipients were listed.

Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.

Caroline Dinenage, the care minister, has called on hospitals to do more to control “intrusive” sales people offering photos and handing out fliers and ensure families are in a “safe and comfortable environment” after the birth of a child.

The timing of this fine is interesting in the light of Elizabeth Denham’s speech at the annual ICO conference on 8thApril, which members of the Trilateral team attended. The Commissioner highlighted that businesses are falling short of meeting the General Data Protection Regulation’s (GDPR’s) accountability requirements.

“Accountability encapsulates everything the GDPR is about,” Denham said. “It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet.”

In response to the data breach fine from the ICO, Jim Kelleher, Managing Director at Bounty said: “We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us.”

He said the issues were “historical” and that Bounty’s priority was now to provide a service that is “both helpful and trusted”.

This fine has been widely reported several national newspapers and picked up in many articles and privacy blogs. There is no doubt that Bounty’s reputation has suffered as a result of their data protection failures which are now being widely reported. The practice of promoting products and services to expecting mothers and new mothers in the labour ward is also now under fire.

The ICO always stated that it would prefer to use the “carrot” rather than this “stick”. However, given the emphasis of accountability at the recent annual conference and the issuing of a very large fine directly afterwards, it seems that the ICO is finally losing patience with organisations that are reluctant to change their practices and safeguard the rights of their data subjects.

As Elizabeth Denning said in her speech:

 “This next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.  An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact.”

Organisations wishing to avoid the wrath of the ICO, particularly under the GDPR should encourage an atmosphere of transparency and accountability when it comes to handling people’s data.

For more information please refer to our service pages or contact our Data Governance team.

Related posts

Let's discuss your career