,

What do you need to know about the Bounty pregnancy club personal data breach?

data breach fine

In what is being called an “unprecedented” data breach case, the Bounty pregnancy club has been fined £400,000 after it illegally shared the personal information of more than 14 million people.

What happened in the Bounty pregnancy club data breach case?

Bounty is a pregnancy and parenting support club. It provides free samples, vouchers and guides to new parents and expectant mothers. These parents can sign up through its website and mobile app, and are even directly recruited on maternity wards.

In a shocking breach of trust, between June 2017 and April 2018 the Bounty pregnancy club shared approximately 34.4m records with 39 organisations – without its users’ permission.

The data shared was sensitive and included information about potentially vulnerable new mothers, mothers-to-be, and very young children.

According to the Information Commissioner’s Office (ICO), this data sharing appears to “have been motivated by financial gain”.

Commenting on the data breach, the ICO’s director of investigations said: “Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.”

While Bounty’s managing director has admitted fault, and ended the company’s relationships with data brokerage companies, he has not apologised for Bounty’s actions.

Has the Bounty pregnancy club been fined?

Yes. But not as much as you might think. In fact, while the fine is still among the highest ever issued, the breach happened under the UK’s old data protection laws and before the introduction of the European general data protection regulation (GDPR). This caps the potential fine at £500,000. Under the new data protection regime, the maximum fine for a company of Bounty’s size is now €20m (£17m).

What’s more, while the ICO has the power to impose fines for data breaches, it doesn’t award compensation to victims. However, many of these victims could go on to suffer distress at finding out their data has been manipulated in this way; especially as it includes information about young children.

Claim for compensation for the Bounty pregnancy club data breach

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. And crucially, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

Some people would have us believe that claiming for distress is an overreaction. That your physiological suffering and anguish doesn’t matter. You might hear friends and family saying that, while it is acceptable to claim compensation for any financial losses, you should put up with any anxiety caused by having your information sold in this manner.

But being the victim of a data breach can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. So why shouldn’t you seek compensation for a failure to look after your information correctly? Especially when it included data about young children.

If you are worried that your trust has been exploited and the Bounty pregnancy club has breached your data, contact us to find out how we can help.

For more advice on how to keep your data safe, you can also follow us on Twitter and Facebook.