Sharp rise in ICO fines and enforcement notices as GDPR races closer

Who said the data protection watchdog doesn't bite? Fines levied by the UK's Information Commissioner's Office (ICO) doubled in 2016 compared to the previous year, according to data released by PwC, to hit a total of over £3.2 million, while the organisation calls for more staff ahead of GDPR.

The amount of fines rose by nearly 100 percent as enforcement notices rose by 155 percent, making the ICO one of the most active data protection regulators in Europe.

Data released at the beginning of May by the ICO showed a willingness to aggressively pursue offenders. Deputy commissioner Simon Entwistle commented on the new findings, saying, “People have a fundamental right to privacy and our achievements this year reflect our commitment to uphold that right.”

The ICO gave out 35 civil monetary penalties last year, compared to 16 for 2015. It has also recommended 21 criminal convictions, a 50 percent uptick.

Entwistle added, “We have advised and educated organisations to help them work within the law and we have taken action when they've fallen short of the mark.” The ICO has received more self-reported incidents and concerns than ever before this year. Self reporting increased by 31.5 percent over 2016 and data protection concerns have shot up 12 percent as well, perhaps marking a greater public cognisance of data protection concerns.


Dennis Slattery, CEO of EDMworks  told SC Media UK  that the mere increase in public awareness of these kinds of issues may have caused this shift: "people are more aware of their rights and are more keen to complain and press for compensation and sanction probably a recognition by the ICO that the current fines available under the DPA  (Data Protection Act) are not enough to change corporate behaviour and fines of the type specified within GDPR need to be applied"

In recent years the UK data protection watchdog has shown a greater appetite for fining offenders than in previous years. Its largest penalty to date was last year's £400,000 fine of TalkTalk for a 2015 breach, just short of the maximum £500,000 fine it can currently levy.

The ICO's growing willingness to penalise will be a concern to organisations who are eyeing an even bigger threat growing on the horizon.

The General Data Protection Regulation (GDPR) introduces a whole raft of new data protection measures for EU members. As of May next year, organisations operating within the EU will have to, among other things, report data breaches promptly, allow customers a far larger role in the control of their data and appoint data protection officers to oversee the process. Those that don't could be smacked with fines of up to four percent of global turnover or €20 million (£17.4 million), whichever is higher. New research has shown that fine could be in the billions.

Many might be oblivious to what's coming in May 2018 but the ICO isn't. Elizabeth Denham has already been clear that the UK's departure from the EU in 2019 will not affect adherence to the landmark piece of regulation: UK firms will still have to comply and the ICO will continue to enforce, and it is already making plans to expand its operations –  Denham appeared before the House of Lords earlier this year to ask for 200 more investigators, lawyers and specialists to help companies comply with the GDPR.

Deputy commissioner Simon Entwistle said in a statement that “Elizabeth Denham's programme to strengthen the team – in both numbers and expertise – will equip the ICO to meet the challenges ahead.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.