The Information Commissioner’s Office (ICO) issued a record £42m in fines during the financial year 2020/21, representing a 1580% increase on the previous year, according to an analysis by international law firm RPC.
This figure was mainly comprised of penalties imposed by the UK’s data protection watchdog for two high-profile data breaches that resulted in millions of people's personal data being compromised. In October 2020, a £20m fine was issued to British Airways for security failings that enabled a cyber-attack to take place in 2018, leading to personal data of 429,612 customers and staff being accessed. In the other case, in October 2020, hotel chain Marriott International was fined £18.4m by the ICO over a data breach that saw an estimated 339 million guest records exposed globally.
Both of these fines were significantly lower from the figures originally proposed by the ICO, with the body taking into account the economic damage of COVID-19 on these businesses.
In addition to these blockbuster fines for data breaches, there was also a four-fold rise in the number of fines related to nuisance messaging and cold calling issued by the ICO in 2020/21 compared to the previous year.
Richard Breavington, partner at RPC, commented: “Clearly, the ICO will impose blockbuster fines when it wants large organizations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.
“The overall number of fines arising from cyber-breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.
“At the outset of the GDPR regime, there was the concern that the ICO would be making full use of its powers to fine, but so far, it seems to only be fining as a last resort.
“The two large fines could have been even higher, but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.”
Under the General Data Protection Regulation (GDPR), the maximum fine the ICO can issue is £17.5m or 4% of a company’s total worldwide annual turnover, whichever is higher.