On the eve of the one year countdown to the enforcement of GDPR, a fresh warning has been issued that the Information Commissioner’s Office’s new tougher stance on data abuse could see a staggering 4,500% rise in fines, following the introduction of the legislation on May 25 2018.
Earlier this month, an NCC Group analysis of the £880,500 fines dished out by the Information Commissioner’s Office during 2016 predicted they would have soared to £69m under the new regime.
But data specialist Alchemetrics has used more up to date figures – from May 2016 to May 2017 – which take into account the ICO’s increased enforcement activity since the beginning of 2017. During this period the regulator has issued sanctions to 49 organisations totalling £3.5m.
Under the new measure which allows data authorities to implement fines of up to 4% of global turnover, Alchemetrics insists these fines would increase to over £150m – a 4,500% rise.
Marketing companies received the highest penalties totalling £1m. Claims companies and finance organisations were the second and third highest payers with £640,000 and £470,000 being shelled out respectively. Charities received the highest number of fines (13) for their use of data matching, wealth screening and data sharing. However, these amounted to an average of just £14,000 each or 0.01% of their average yearly donations, even though the ICO said they could have been much higher.
TalkTalk received the largest penalty ever issued by the ICO (£400,000) for its high profile data breach. But, as has been well documented, under GDPR the company could have found itself facing a bill of nearly £70m. In terms of locations, organisations based in the North West were fined the most (£1m), followed by those registered to the South East (£752,000) and London (£693,500).
The fines covered an estimated 15,214,514 spam texts, 3,589,790 spam emails and 150,600,266 unsolicited calls. Additionally, charities were penalised for 4,183,152 incidences of data matching, 32,266,985 incidences of wealth screening and 9,108,678 incidences of unfairly sharing donor’s details with other charities.
Amongst the fines there were also 12 cases of data protection/data breaches including failing to remove sensitive information from a filing cabinet after giving it to charity, the loss of unencrypted witness DVDs in the post and the breaches in online security.
Alchemetrics managing director David Gurney said: “Whilst it is unlikely that the ICO would issue fines amounting to 4% of global turnover; given that many of the penalties issued over the last 12 months were less than 0.01 per cent , this research serves to highlight just how serious a breach of GDPR could be to all organisations – small and large alike.
“For many businesses a fine of this magnitude could be catastrophic. It is crucial therefore that businesses use the time they have left to bring in outside expertise to help them not only become compliant; but to stay compliant.”
Earlier this week, a separate study claimed that 84% of SMEs had still not heard of the new legislation.
84% of UK SMEs have still not heard of EU data reforms
ICO’s 2016 fines would rocket to £69m under GDPR
TalkTalk could have faced £70m fine under GDPR
20% of firms fear ruin as GDPR panic spreads globally
ICO insists GDPR guidance will cover legitimate interest
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims