A recent survey issued by PwC has highlighted the record level of fines issued by the Information Commissioner's Office (ICO) in 2016; however once the General Data Protection Regulation (GDPR) comes into force on 25 May 2018 – with fines of up to €20,000,000 a single fine alone could be over the ICO's current yearly fines!! If you are already preparing for the GDPR, your organisation has less than a year to do so.
Within the EU, the UK, in 2016, issued 35 fines and was one of the most active member states for regulatory enforcement action in relation to data protection, closely followed by Italy which issued 3.3 million euros worth of fines for individual data protection breaches (for more information, please click https://www.macroberts.com/fines-under-the-gdpr-lessons-from-italy/here). This is almost double the number of fines issued in 2015, where only 18 fines were issued. The EU has, traditionally, had low volumes of regulatory action in comparison to jurisdictions such as the US, which issued $250 million worth of fines in 2016. This however, is likely to change once the GDPR is in force and the EU could see levels of fines that rival the US.
Under the GDPR the ICO will be able to impose fines of up to €20,000,000 or 4% of global annual turnover, whichever is larger, a significant increase on the current limits of £500,000 – a figure they have not, to date, fined a business. The highest fine issued by the ICO to date was £400,000 to a company who made over 100,000,000 nuisance phone calls.
The ICO has also increased alternative enforcement actions, such as enforcement notices and undertakings which require organisations to take steps to demonstrate compliance after a data protection breach. In 2016, there were 23 enforcement notices issued – a 155% increase on the 9 notices issued in 2015.
Clearly, the UK's ICO has stepped up a gear in terms of data protection enforcement actions in the UK. There seems to be increasing levels of fines and alternative enforcement actions that show no sign of slowing down! After the 25 May 2018, the GDPR will allow the ICO to issue fines of up to €20,000,000 or 4% of global worldwide turnover, and they could use these powers to the fullest extent.
Organisations should not put off preparing for the implementation of the GDPR, there is less than 1 year to go! The level of fines alone, coupled with the ICO's new found enforcement zeal should ensure that organisations are not taking GDPR compliance lightly. In the PwC survey, 84% of people said that data protection breaches have a negative impact on trust – just another reason to get GDPR ready!
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.