Value of fines issued by ICO increases threefold in a year – from £4.8m to £15m
Fines relating to data breaches account for a third of the overall value
The largest fine issued was £7.5m
Fines issued by the Information Commissioner’s Office (ICO) have more than trebled in value in the last year, from £4,848,000 to £15,249,200*, new research from international law firm RPC shows.
The increase has been largely driven by two multi-million pound penalties - a £7.5million fine against a software business for breaching privacy regulations and a £4.4m fine against a construction company for failing to take reasonable steps to protect its customers' data from a cyber-attack.
The data also reveals the value of fines imposed on businesses specifically relating to personal data being compromised through a cyber-attack has almost quadrupled, from £1,285,000 last year to £4,998,000.
Richard Breavington, Partner and Head of Cyber & Tech Insurance at RPC, says: “The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
“While the regulator took a more measured approach to sanctions during the pandemic, this attitude of forbearance appears to be changing.
“In order to maximise the chances of avoiding a penalty, businesses should ensure that they have proper procedures in place to deal with a data breach. The ICO will take this into consideration when deciding on enforcement.”
In addition to sanctioning businesses that have failed to protect customer data, the ICO has also issued fines to businesses that have engaged in nuisance marketing tactics.
PECR violations, such as sending out unwanted marketing emails and cold calling customers who have asked to be taken off their marketing database, resulted in businesses being fined almost £3m.
The value of fines issued by the ICO last year increased threefold to £15.2m
*Year end 31 October 2022