A report conducted by law firm RPC has revealed that fines for data protection breaches issued by The Information Commissioner’s Office (ICO) in the latest financial year have increased by 1580% compared to the previous year.
The record £42 million in fines in the year 2020/21 represent those issued for data protection breaches and were mainly comprised of two high profile incidents. The first was a £20 million fine issued to British Airways following a cyber attack in 2018 that left the personal data of 429,612 customers and staff being compromised. The second case involved Marriott International hotels, which was fined £18.4 million in October 2020 after security weaknesses enabled the worldwide exposing of data and information relating to around 339 million guests.
The ICO has revealed that both fines imposed on British Airways and Marriott International were significantly lower than originally planned due to leniences issued in light of the Covid-19 pandemic, and the economic pressures that the pandemic had placed on both businesses.
General Data Protection Regulation (GDPR) rules state that the maximum fine that can be issued by the ICO is the higher of either a cap of £17.5 million, or 4% of a company’s total worldwide annual turnover.
Richard Breavington, partner at RPC, commented on the fines and action of the ICO:
“Clearly, the ICO will impose blockbuster fines when it wants large organisations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.”
“The overall number of fines arising from cyber-breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.”
Breavington also commented on concerns that the ICO would make full use of its powers to fine, but so far, he said
“it seems to only be fining as a last resort”.
“The two large fines could have been even higher, but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.”