The number of UK firms fined by the Information Commissioner’s Office for breaching data protection laws doubled to 35 in 2016. The ICO imposed financial penalties of £3.2m on 35 UK firms for breaching existing data protection laws last year.
According to a recent PwC analysis, the number of UK firms fined by the Information Commissioner’s Office for breaching data protection laws doubled from 18 in 2015 to 35 in 2016, making the UK one of the most active regions for regulatory enforcement action in Europe. The ICO also issued as many as 23 enforcement notices against erring firms in the said period. In 2015, the ICO had issued only 9 such enforcement notices.
As per the Data Protection Act, companies are liable to pay up to £500,000 as fines for breaching privacy rules. However, the fines are expected to go up significantly with GDPR replacing the DPA next year. The GDPR will impose maximum fines equivalent to 4% of a company’s global turnover or £20 million, whichever will be higher.
Because of the low volume of fines imposed under existing laws, the UK lags significantly behind the United States where fines of up to $250m were served on erring firms in 2016. However, only Italy bettered the UK in terms of volume of fines served in Europe last year.
“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” said Stewart Room, PwC’s global cyber security and data protection legal services leader.
“We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change.
“It’s impossible to ignore the impact of the legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?” he added.
According to the PwC analysis, monetary fines imposed by the ICO on erring UK firms previously peaked at £2.3m in 2013 before coming down to £1.5m in 2014 and £2m in 2015. The ICO had imposed fines of only £541,000 on erring firms in 2011.
While monetary penalties served by the ICO rose from 18 to 35 between 2015 and 2016, prosecutions rose from 11 to 16, enforcement notices rose from 9 to 23 and undertakings rose from 25 to 30 in the same period. Unless companies change their existing practices to fully comply with GDPR rules once the legislation comes into effect, the number of fines and enforcement notices served by the ICO will rise to much higher levels from next year.