Data breaches, not rogues, are ICO Public Enemy No. 1

Companies suffering data breaches are far more likely to be clobbered by the Information Commissioner’s Office – and harder – than even the most heinous rogue marketers, according to a new analysis of ICO fines issued over the past five years.

Carried out by The SMS Works, the study shows that there has been a 450% rise in penalties from £1.15m in 2014 to £6.3m in 2018 – and that of the four main offences, data breaches, email, SMS and nuisance calls, data breaches account for the largest proportion of fines.

Since 2010, 110 fines have been handed out for data breaches, that’s 50.9 % of the total. This represents a major change from two years ago, when a large proportion of fines were for so-called nuisance calls.

Surprisingly, given how much attention GDPR has received, 2019 has been a quiet year so far for fines, with only 13 penalties being handed out; this time last year 29 fines had already been issued.

The first major GDPR rulings to come out of the ICO – the proposed fines against British Airways and Marriott International totalling £282m – are also for data breaches. However, both are being appealed, so do not yet appear on the ICO’s official figures.

Perhaps one of the most striking findings from the analysis is that the public sector is by far the worst offender for data leaks. The public sector has been handed out 60 out of the 110 total fines for data breaches and the £7.3m in fines represents 58% of the total. The NHS alone has received 12 fines and the police received nine.

Another key finding is that there appears to be a lack of balance in the fines that are issued. Some companies are being fined far more heavily for spam offences, while others are being treated more leniently, with big brands being singled out for the largest fines.

For instance, in June mobile operator EE was fined £100,000 for a fairly minor SMS infringement after including a marketing element to a ‘service’ message to 2.4 million customers. In its case report, the ICO conceded that, “EE did not deliberately set out to breach electronic marketing laws”. The SMS did not generate a single complaint.

By contrast, a company called Tax Returned blatantly spammed 14.8 million consumers with an intrusive and unwelcome text. The campaign generated over 2,100 complaints. For such a brazen campaign, the firm received a fine of just £200,000. For each spam text sent, it was fined less than a third as much as EE for a far worse offence.

The SMS Works director Henry Cazalet said: “2019 has been a been an eerily quiet time for the ICO and we haven’t seen the deluge of fines, post GDPR, that many were expecting.

“The fines for BA and Marriott hotels are both being contested but if the appeals are unsuccessful, then these two fines, totalling £282m, will be more than 12 times what the ICO has handed out in its entire history. They will set the benchmark for what companies can expect to be fined for data leaks or hacks.

“Companies and organisations of all sizes need to urgently take the necessary steps to give adequate protection to the consumer data that they hold. Next year promises to be a busy time for the ICO as it processes and issues fine for many of the very first offences that were committed after GDPR came into force.”