The Information Commissioner’s Office handed out monetary penalties of over £4m during 2017, nearly £1m more than the previous year as the GDPR approaches, according to PwC.
The global consulting giant analyzed the ICO’s enforcement actions over the past year, looking at monetary penalties, enforcement notices, prosecutions and undertakings.
In total, 54 fines were handed out in 2017 with 14 of these (26%) more than £100,000. However, although the ICO has the power to fine up to £500,000, it has never issued the maximum penalty.
The largest number of incidents for which penalties were issued were marketing offences, although security breaches and misuse of data for profiling purposes also loomed large.
When the GDPR comes into force on Friday, it will have new powers to fine up to £17m, or 4% of global annual turnover. However, PwC lead partner for GDPR and data protection, Stewart Room, claimed the ICO has made it clear maximum fines won’t be the norm.
“It’s really about putting consumer rights at the heart of today’s data-centered world. There’s an option for organizations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust,” he argued.
“Signs of progress are very encouraging. At board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success.”
Room claimed that PwC’s own global GDPR Readiness Assessments over the past two years show that highly regulated sectors such as healthcare and financial services tend to have a slight advantage in terms of preparedness as they are more used to dealing with regulatory change.
As recently as January, a UK government report claimed that just 38% of businesses had even heard of the regulation.