Boats on water in docks.
  1. Home >
  2. Press and Media >
  3. Average ICO fine jumps 14 percent in a year in the wake of GDPR

SHARE:

Average ICO fine jumps 14% in a year to £143,000 in the wake of GDPR

Published on 28 May 2019

The average fine levied by the Information Commissioner’s Office has risen 14% in the year since the introduction of GDPR, rising from £125,000 in 2017/18 to £143,000 in 2018/19*, says City-headquartered law firm RPC.

  • Regulator beginning to levy maximum £500k fines for offences under previous Data Protection Act
  • ICO only “scratching the surface of its powers” – but don’t expect blockbuster fines yet

The average fine levied by the Information Commissioner’s Office has risen 14% in the year since the introduction of GDPR, rising from £125,000 in 2017/18 to £143,000 in 2018/19*, says City-headquartered law firm RPC.

RPC says that since the introduction of GDPR on May 25 2018, it appears that the ICO is becoming more willing to levy bigger fines, especially in high-profile cases of data breaches and misuse.

In the year since GDPR was introduced, the ICO has levied a fine of £500,000 on two separate occasions, having never done so previously. This is the maximum fine the regulator was allowed to levy, as the incidents took place under the previous Data Protection Act 1998. GDPR gives the ICO the power to fine businesses up to a maximum of €20m or 4% of global turnover for the most serious data protection incidents.

RPC says that it expects any increase in the size of ICO fines to be gradual, and to come in response to a major breach of personal information on individuals.

Richard Breavington, Partner at RPC, comments: “The ICO has already begun to ratchet up the value of fines, and it has barely scratched the surface of its powers.”

“The first large-scale loss or misuse of individuals’ data under GDPR will be an important ‘test case’ for the ICO, which will show us how far the regulator is prepared to go in using its new powers – this is a key area to watch.”

“However, we don’t expect to see blockbuster €20m fines being levied in the near future. So far the regulator has only started to hit businesses with the £500,000 maximum fine for breaches under the old Data Protection Act.”

* Data for the 12 month period from May 25 2018 to May 24 2019, compared to the same period a year earlier. Source: Information Commissioner’s Office