ICO Issued Over £42 Million in Fines Last Year

The UK’s privacy regulator issued over £42 million in fines last year, although the vast majority of the money relates to two major GDPR penalties, according to new data.

Flagged by think tank Parliament Street, the Information Commissioner’s Office (ICO) “work to recover fines” report revealed that 17 financial penalties had been levied in 2020, amounting to more than £42.4 million.

Most can be attributed to the vastly reduced and much-delayed fines finally imposed on Marriott International (£18.4 million) and British Airways (£20 million) for major data breaches. Ticketmaster’s (£1.25 million) was the next-biggest fine, with the remaining 14 standing at £500,000 or less.

Three court orders were issued to wind-up erring firms last year, while eight company directors were disqualified following ICO enforcement action.

The latter action is meant to help prevent tactics known as “phoenixing,” where company owners who have allowed illegal practices such as cold calling simply declare bankruptcy after an ICO investigation and start a new company, avoiding any fines.

Thanks to changes in the law, directors could now not only face disqualification, but are also responsible for paying the fines, under either the Data Protection Act 2018, the UK’s version of the GDPR, or the Privacy and Electronic Communications Regulations (PECR), which govern nuisance calls.

ICO group manager for investigations, Natasha Longson, said awareness of these penalties has grown among directors.

“In most cases where a fine has not been paid, we work closely with the Insolvency Service. This has been a very successful collaboration and, last year, saw eight directors disqualified. Recovering fines from insolvent companies has been slower than usual due to the pandemic’s impact on the courts,” she added.

“We take a pragmatic approach to recovery and we support companies and directors in genuine financial hardship, for example agreeing payment plans where appropriate.”

However, some reports suggest the ICO’s strategy for fines is problematic. The original intent was to fine BA £183 million, for example.

What’s more, the regulator has been unable to collect around two-fifths (39%) of the fines issued from 2015-19, according to a report issued last October. In addition, 68% of fines issued since then are outstanding, the report claimed.

What’s Hot on Infosecurity Magazine?