ICO issued £42m in fines last year; £29m is still unpaid

ico n1The Information Commissioner’s Office has revealed that it is still owed nearly £29m in unpaid fines for breaches of data protection laws in the past year alone, due to a double whammy of those who refuse to cough up and those who are appealing enforcement decisions.

According to the ICO’s annual report, during 2020/21 the regulator imposed a total of £41.959m in civil monetary penalties. There is a further, £2.990m which is still under appeal and is not included.

Within the total number of fines imposed, £20m relates to the GDPR penalty against British Airways and £18.4m for Marriott Hotels. Both of these have agreed payment plans, which the ICO says are being paid in equal annual instalments.

At the year end, the fines still to be collected by the ICO and subsequently paid to the consolidated fund stands at £28.667m.

Elsewhere in the 138-page report, the ICO reveals it received 36,607 new data protection complaints during 2020/21, only a slight decrease from the 38,514 it saw in 2019/20, but more than in 2018/19.

The finance, insurance and credit sectors accounted for the most complaints (4,847), followed by general business (3,943) and online, technology and telecoms (3,317). Marketing is 20th on the list, on 143 complaints, with only the religious and “other” categories receiving fewer gripes.

The vast majority of complaints (46%) were over subject access requests, followed by disclosure of data (13%) and right to prevent processing (8%).

When it comes to personal data breach reports, the ICO witnessed a fall in the number of cases for the second year running; 9,532 compared to 11,854 in 2019/20 and 13,840 in 2018/19.

The vast majority of cases (71.4%) were deemed to require no further action, with just 0.1% leading to a fine.

Concerns about breaches of the Privacy & Electronic Communications Regulations (PECR) also dropped for the third consecutive year; 123,569 compared to 127,940 in 2019/20 and 138,368 in 2018/19.

However, the ICO does not provide any details on the outcomes of these complaints in the report.

Outgoing Commissioner Elizabeth Denham, who will leave later this year, is instead keen to big up her office’s performance since she took charge in 2016. She said: “Our successes are testament to the hard work and expertise of the ICO’s staff, and the foundations of the modern ICO laid across the past five years.

“In that time the office has almost doubled in headcount, with a focus on increasing our technical, legal, and economic expertise. We have built partnerships with other regulators and developed our international relationships and influence. We have benefited from our commitment to equality and diversity. And we have strengthened our Management Board, to whom I am personally grateful for their continuing support and guidance.

“More than all of that though, the ICO has developed a confidence in who we are. The work outlined in this report demonstrates a modern, independent ICO that has the courage to take on the complex data protection of the day, and resources and expertise to back that courage.

“That confidence sets us up for future success. The National Data Strategy sets out how the UK is well placed to reap the benefits data can bring in the coming years, both to our economy and to our society. The ICO will be central to that work, encouraging innovation and ensuring that data is managed, protected, and respected to unlock its full impact. Most of all, we will continue to demonstrate that data protection is, at its core, about trust: the digital opportunity before us today will only be realised where people trust their data will be used fairly and transparently.

“In my final annual report as Commissioner, I will conclude with a simple note of thanks. Every day I have worked at the ICO I have been impressed and inspired by the commitment and passion of the staff across our offices. It remains one of the greatest privileges of my life to work with such dedicated colleagues and I am grateful for their support.”

Related stories
BA and Marriott to pay £38.4m GDPR penalties ‘on tick’
MPs warn new data regulator must not be Govt patsy
‘Abusive’ home improvement business nailed by ICO
Another fine mess? ICO still failing to get rogues to pay
Marriott hammers down GDPR fine from £99m to £18m
BA ‘humiliates’ ICO by slashing £183m fine to £20m
‘Distressing’ spam texts cook up trouble for Papa John’s
Three PECR pests fined £415,000 for illegal marketing
Tories spanked by ICO after Boris fails to keep PECR up