Recent analysis from Reynolds Porter Chamberlain LLP (RPC) has revealed that 2020-21 saw the Information Commissioner’s Office (ICO) issue fines totalling nearly £42m. 2020-21’s figure was a staggering increase of 1580% on the previous year when the ICO issued just £2.5m in fines.
What drove such a significant increase in ICO fines?
The primary contributors to 2020-21’s record-breaking figure were:
- The £20 million fine issued to British Airways in October 2020 following a significant data breach in 2018.
- The £18.4 million fine issued to Marriott International in October 2020 following a 2014 data breach involving over 339 million records that the business didn’t discover until late 2018.
While these are significant sums, the ICO initially wanted to fine both businesses to an even greater extent. However, in deciding the final sum, the ICO considered the impact of the Covid-19 pandemic on both companies.
The ICO has the power to fine businesses the greater of £17.5 million or 4% of a company’s total global annual turnover. Given that British Airways had revenues of £3.9 billion in 2020 and Marriott International revenues of around £7.7 billion in the same year, saying both got off lightly is something of an understatement!
Increases in fines for nuisance messaging and cold calling
While the British Airways and Marriott fines took the headlines, 2020-21 also saw a four-fold increase in ICO fines against businesses guilty of nuisance messaging and cold calling versus the previous year.
Is 2020-21 a blip or a sign of things to come?
When the General Data Protection Regulation (GDPR) came into force in 2018, the ICO said it planned to favour a carrot over stick approach, wishing to help businesses deal with data protection issues rather than immediately issuing fines.
Of course, we don’t get to hear about every data breach that occurs, nor to whom the ICO has issued guidance or warnings. As such, it’s difficult to say whether the last year is a sign of things to come longer-term, particularly as most of the total was generated from two fines.
It’s also worth noting the factors the ICO uses when determining the extent to which it will fine businesses for data breaches.
- The seriousness of the data breach, typically measured by the number of people affected and how they have been affected.
- The level of intention, with businesses found to have been negligent facing more significant sanctions than those who have done all they can to protect consumer data.
- The financial means of the business involved, meaning bigger companies can expect to face more considerable fines. However, given that such data breaches would typically lead to a more significant number of records being stolen, these companies would usually face more significant penalties anyway.
What was said about RPC’s findings?
Richard Breavington, Partner at RPC, said, “Clearly the ICO will impose blockbuster fines when it wants large organisations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.
“The overall number of fines arising from cyber breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.
“At the outset of the GDPR regime there was the concern that the ICO would be making full use of its powers to fine but so far it seems to only be fining as a last resort.”
“The two large fines could have been ever higher but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.
“As organised cyber gangs seem to be acting with ever more sophistication, corporates should plan on the basis that they will suffer a successful breach of their systems at some stage. A measure of success will be how well their sensitive customer data is protected in that breach. Will they be able to limit the amount of data taken from their system and how effectively will they respond to the breach when they discover it?”
Taking action if you’ve been affected by a data breach
If you’ve been affected by a data breach, you might be entitled to compensation.
Contact LawPlus today to tell us about how your personal details were involved in a data breach and for a FREE, no-obligation assessment of your potential claim.