The value of ICO fines issued in the past year was the highest on record at £42m, up 1,580 per cent from the £2.5m in fines issued the previous year, reveals research from RPC, the international law firm.
The rise is driven by a £20m fine issued to an airline and an £18.4m fine to an international hotel chain. The fees were issued following data breaches where millions of customers’ personal data were compromised.
The maximum fine the ICO can issue is £17.5m, or 4 per cent, of a company’s total worldwide annual turnover.
Despite the rise, Richard Breavington, partner at RPC said: “Clearly the ICO will impose blockbuster fines when it wants large organisations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.”
“The overall number of fines arising from cyber breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.”
Breavington also noted: “The two large fines could have been even higher but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them.”
The ICO lowered the initial fine for the airline corporation from £184m to £20m and the hotel chain’s fine from £99.2m to £18.4m.
The ICO assesses a range of factors when determining the level of a fine for data breaches, including seriousness, the level of intention and the financial means of the corporation.
Additionally, the regulator has also penalised businesses that engage in nuisance marketing tactics.
The research shows there was a fourfold increase in the number of fines related to nuisance messaging and cold calling, compared to the previous year. The ICO levied penalties to businesses that sent out unwanted marketing emails and cold-called customers.
RPC says it is crucial for any business to have the right legal support if it is undergoing investigation or has suffered from a data breach due to a cyber attack.
Breavington added: “As organised cyber gangs seem to be acting with ever more sophistication, corporates should plan on the basis that they will suffer a successful breach of their systems at some stage.”