ICO action analysis reveals reticence to issue huge fines

ICO new 2Claims that GDPR fines will potentially put thousands of British firms out of business have been scotched by an analysis of enforcement action taken under the current data protection regime, which reveals the regulator takes a far more measured approach than some would have you believe.
While the Information Commissioner’s Office has regularly urged businesses to get in shape for the new regulation – and carry out due diligence – some vendors offering GDPR solutions have been accused of using the threat of massive fines to get businesses to sign up to their services.
In serious cases, the ICO can currently issue enforcement notices and, in extreme cases, monetary penalties, up to a maximum of £500,000. Under GDPR this will rise to a maximum fine of up to €20m or 4% of annual turnover.
But according to a blog post by research and analysis company Quocirca, the average fine issued by the ICO in the last two years has been £84,000, which is just 17% of the maximum.
The two largest fines to date have been £400,000, to TalkTalk for its widely publicised 2015 leak of 156,959 customer records, and to Keurboom Communications for 99.5 million nuisance calls.
Of the 87 fines, 48 were related to breaches of the Privacy & Electronic Communications Regulations, at an average of £95,000. A further 13 were to charities for mis-use of data (average £14,000). Eight were data processing (average £68,000) and 18 for data leaks (average £114,000).
According to the ICO’s own figures, there have been 3,902 UK data leaks June 2015. So, the 18 fines issued for data leaks represent less than 0.5% of all cases the ICO could have considered.
Quocirca’s Bob Tarzey writes: “As you would expect, the ICO prioritises the worst incidents. Even then, it is reticent to fine and has rarely come near to imposing the maximum fine. The ICO’s job is to protect UK citizens’ data, not to bring down UK businesses.
“Sure, the ICO will have broader powers, and the possibility to impose higher penalties, under GDPR. However, if the ICO chooses to use these new powers with the same discretion as it has under the Data Protection Act, any data controller who has ensured their organisation is paying due diligence to the way it handles data, should not be losing too much sleep.”

Related stories
Revealed: the ‘dirty dozen’ of GDPR fake news stories
Firms face bombardment of data requests under GDPR
Insurance firms face deleting ‘two-thirds of their data’
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’
Major ICO recruitment drive to prevent GDPR meltdown
GDPR fears mount over delay to ICO consent guidance
ICO insists GDPR guidance will cover legitimate interest
John Lewis and HSBC slam ‘ambiguous’ GDPR guidance
Lack of GDPR guidance fuels fears over bombardment