Water cooler and triangular chairs

The ICO issued £42m in fines last year - 1,580% increase on the previous year

Published on 01 September 2021

  • “Blockbuster” fines see new record set

The value of ICO fines issued in the past year was the highest on record at £42m – up 1,580% from the £2.5m in fines issued the previous year*, reveals research from RPC, the international law firm.

The rise is driven by a £20m fine issued to an airline and an £18.4m fine to an international hotel chain. The fines were issued following data breaches where millions of customers’ personal data was compromised.

The maximum fine the ICO can issue is £17.5 million, or 4% of a company’s total worldwide annual turnover, whichever is higher.

Richard Breavington, Partner at RPC says: “Clearly the ICO will impose blockbuster fines when it wants large organisations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.”

“The overall number of fines arising from cyber breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.”

“At the outset of the GDPR regime there was the concern that the ICO would be making full use of its powers to fine but so far it seems to only be fining as a last resort.”

“The two large fines could have been ever higher but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.”

  • The ICO will assess a range of factors when determining the level of a fine for data breaches: 
  • Seriousness – relating to the number of persons impacted and the level of impact on them. 
  • The level of intention – here companies are assessed to see whether they neglected to protect customer information, with those being judged to have done so facing heavier potential enforcement. 
  • The financial means of the corporation – this influenced the ICO’s decision to lower these two blockbuster fines issued during the pandemic (the initial fine for the airline corporation dropped to £20m from £184m and the hotel chain’s fine dropped to £18.4m from £99.2m).

As well as enforcement action against companies that fail to take adequate measures to prevent data breaches, the regulator has also penalised businesses that engage in nuisance marketing tactics.

The research shows there was a fourfold increase in the number of fines related to nuisance messaging and cold calling, compared to the previous year. The ICO levied penalties to businesses that sent out unwanted marketing emails and cold called customers. 

RPC says it is crucial for any business to have the right legal support if it is undergoing investigation or has suffered from a data breach due to a cyber attack. 

Richard Breavington adds: “As organised cyber gangs seem to be acting with ever more sophistication, corporates should plan on the basis that they will suffer a successful breach of their systems at some stage. A measure of success will be how well their sensitive customer data is protected in that breach. Will they be able to limit the amount of data taken from their system and how effectively will they respond to the breach when they discover it?”

The value of fines issued by the ICO last year increased by 1,580% to £41.9m

The value of fines issued by the ICO last year increased by 1,580% to £41.9m

The average value of a fine issued by the ICO soared 564% to 1.7m last year