The average value of fines issued by the Information Commissioner’s Office for failing to protect against data breaches has doubled to £146,000 in the year to September 30 2018, up from £73,000 the year before, says RPC, the City-headquartered law firm.
The total value of penalties imposed by the Information Commissioner’s Office (ICO) rose to £4.98 million last year, up 24% from £4 million the year before.
The introduction of the General Data Protection Regulations (GDPR) is expected to result in higher fines for larger businesses over the medium term.
The ICO is likely to hold off on issuing large fines to SMEs, however, as GDPR fines are proportionate to the risk posed by a breach. The regulator has also said it will not be making early examples of businesses for minor infringements by issuing large fines.
Breaches of the GDPR, which came into effect on 25 May, could potentially lead to an organisation that has failed to protect the data becoming subject to much larger fines -of up to €20m or 4% of the organisation’s turnover. The maximum fine under previous UK legislation was £500,000.
The ICO recently issued the UK’s first GDPR enforcement notice against AggregateIQ, in relation to an incident that saw data of up to 87 million Facebook users accessed. The firm is appealing the fine.
Three of the largest fines issued by the ICO in the last year were against:
- Equifax, which was fined the maximum £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017
- Carphone Warehouse, which was fined £400,000 for failing to adequately protect customer and employee data
- The British and Foreign Bible Society, which promotes the availability of the Bible worldwide, was fined £100,000 following a cyber-attack that compromised personal data of 417,000 people
Richard Breavington, Partner at RPC, comments: “A doubling in the average size of a fine should serve as a wake-up call to businesses. However, political pressure is mounting.”
“Given that there seems to be no slowdown in the number of cyber-attacks today – businesses need to see how they can mitigate the risks to their customer when there is an attack.”