With GDPR coming into force on Friday, organisations could face even higher fines in the coming year as the ICO’s enforcement powers increase
Of the 91 enforcement actions for breaches of current data protection laws taken by the ICO last year, 54 monetary penalties were issued to UK organisations, totalling £4,207,500 – an increase of nearly a million pounds over the previous year (35 fines with a total of £3,245,500). With the biggest changes to data protection law for over 20 years coming into force this week with the introduction of the General Data Protection Regulation (GDPR), organisations risk larger fines in the year ahead if they fail to ensure compliance.
As part of the global Privacy & Security Enforcement Tracker, PwC has analysed the UK Information Commissioner’s Office (ICO) data protection enforcement actions over the past four years, looking at monetary penalties, enforcement notices, prosecutions and undertakings. The ICO can currently issue monetary penalties of up to £500,000 and PwC’s analysis found that in 2017, 14 of the 54 fines issued (26%) were of more than £100,000. Under GDPR, the fines for failing to comply can be up to 4% of global turnover or €20m, depending on which is higher.
Stewart Room, lead partner for GDPR and data protection at PwC, commented:
“Our analysis found that almost half of last year’s UK data protection enforcement actions were due to marketing infringements, but security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure. These are key areas for organisations to be mindful of as we move into this new era for data protection.
“The ICO has made it clear, however, that the GDPR is not about the increased fines and the maximum certainly won’t be the norm. It’s really about putting consumer rights at the heart of today’s data-centred world. There’s an option for organisations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust.
“Signs of progress are very encouraging. At Board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success. Findings from our GDPR Readiness Assessments, which we’ve run with over 220 clients globally over the last two years, show that, in general, highly regulated sectors such as healthcare and financial services, which are used to dealing with regulatory change, tend to have a slight margin over others in terms of preparedness.”