Commercial law firm Reynolds Porter Chamberlain LLP says that the average fine levied by the Information Commissioner’s Office rose 14% in the year since the introduction of GDPR, increasing from £125,000 in 2017/18 to £143,000 in 2018/19.
The UK regulator is beginning to assign fines at the maximum £500k for offenses that were previously under the Data Protection Act. According to the firm, the Information Commissioner’s Office is only “scratching the surface of its powers,” yet big fines may not be on the immediate horizon
RPC says that since the May 25, 2018 introduction of GDPR, the ICO appears to becoming more willing to levy bigger fines, especially in high-profile cases of data breaches and misuse.
In the year since GDPR was introduced, the ICO has levied a fine of £500,000 on two separate occasions, having never done so previously. This is the maximum fine the regulator was allowed to levy, as the incidents took place under the previous Data Protection Act of 1998.
GDPR gives the ICO the power to fine businesses up to a maximum of €20m or 4% of global turnover for the most serious data protection incidents.
The law firm expects any increase in the size of ICO fines to be gradual, and to come in response to major breaches of personal information. “The ICO has already begun to ratchet up the value of fines, and it has barely scratched the surface of its powers,” said Richard Breavington, partner at RPC. “The first large-scale loss or misuse of individuals’ data under GDPR will be an important ‘test case’ for the ICO, which will show us how far the regulator is prepared to go in using its new powers – this is a key area to watch."
“However, we don’t expect to see blockbuster €20m fines being levied in the near future. So far the regulator has only started to hit businesses with the £500,000 maximum fine for breaches under the old Data Protection Act,” Breavington said.
Higher GDPR fines aren’t the only outcome the law firm identified since the implementation of GDPR, nor the first. Late last year the firm said that the launch of GDPR also spiked whistle-blower reports made to the Information Commissioner’s Office.
According to the firm, there were 82 whistle-blower reports made to the Information Commissioner’s Office in the three months following GDPR coming into force on May 25 2018, up from the 31 whistle-blower remade in the previous three months.
RPC explained that the Information Commissioner’s Office is actively soliciting whistle-blowers to come forward with any information. This is, of course, increasing the risk of any non-compliant activity at businesses being investigated.
According to RPC, Whistle-blower testimony was an important part of the Cambridge Analytica case. “As a result of new GDPR regulations and greater media exposure, individuals are now more aware of their responsibilities and willing to become a whistle-blower over data protection rights concerns,” the firm said.
Under GDPR, the cap on each individual fine for a breach is €20 million (roughly £17.8 million) – or 4% of worldwide turnover — that’s more than 35 times the previous maximum of £500,000.
Recent research by RPC shows that the average value of a fine issued by the ICO has doubled to £146,000 in 2017-18, up from £73,000.
“Data breaches are now regularly headline news stories and that means more whistle-blowers coming forward. In recent years, data protection has become a major concern not just of Government and regulators, but also the general public. It is not just disgruntled employees who act as whistle-blowers, but genuinely concerned individuals,” said Breavington.
This month the Information Commissioner’s Office levied significant fines against the hotel chain Marriott and airline British Airways.
Earlier CNN reported that the hotel chain said “in a regulatory filing Tuesday that Britain's Information Commissioner's Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation.”
“The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach,” CNN reported.
The British Airways fine was £183.4 million ($230 million) for a breach that compromised data regarding 500,000 of its customers.