The ICO has only collected half of data breach fines since 2010
Companies have gone into liquidation to avoid big penalties, and the ICO has no power to stop them
The General Data Protection Regulation, which has major implications for how companies store and process personal data, is now in force. Watchdogs now have the power to enforce fines in the millions of pounds to those who breach regulations - although hopefully the UK's Information Commissioner's Office will be more diligent about collecting them than it has been with previous penalties.
Before the GDPR, companies could be fined a maximum of £500,000 under the Data Protection Act (DPA) or the Privacy and Electronic Communications Regulations (PECR). However, a Freedom of Information Act request by The Register shows that only about half of the fines levied since 2010 have been paid.
Simplifying things a bit, PECR is used to handle automated nuisance calls, while the DPA - closer to the new GDPR - would be levelled at companies who lose personal data.
However, the maximum fines were never actually used: the highest was £400,000 against both TalkTalk, for its 2015 data breach, and Keurboom Communications, for spam calls.
Even a £400,000 fine could be best described as a slap on the wrist for multinational firms, and these were rare. The most common penalties were £50,000 for PECR and £70,000 for the DPA: a blip in the accounting books, at best.
The Register's FoI requests show that the ICO has levied fines of £17.8 million at companies breaking data protection laws since 2010, but only £9.7 million (54 per cent) has been collected - further throwing into doubt the deterrent effect of the regulations.
Of the 174 data controllers issued with a fine, only 14 have paid up in full, although 115 were able to use the ICO's 20 per cent discount for paying within 28 days.
43 companies have paid back half or less of the fine, and 38 of these haven't paid anything.
Of the 13 companies fined £200,000 or more under PECR, only one company - Newday Ltd - has paid a significant amount back. The company paid 80 per cent of its £230,000 fine this year.
The reclaim rate was higher for DPA fines. While about half of firms fined under PECR have paid 80 per cent or less of the penalty, 87 of the 90 companies sanctioned under the DPA have paid up.
Can't pay? No problem
The ICO made it clear that there are several reasons a company might not pay right away, including appeals or an installment plan for payments.
However, other firms take the nuclear option, and simply go into liquidation to avoid paying.
Keurboom, for example - a recipient of one of the two £400,000 punishments, remember - was already in liquidation when the ICO announced its fine. The same happened to Your Money Rights (£350,000, 2017); ProDial Ltd (£350,000, 2016); Media Tactics (£270,000, 2017); and Check Point Claims (£250,000, 2016).
The ICO is attempting to tackle the problem by asking for the power to hold company directors personally liable. The government promised to follow through with this request in 2016, but hasn't actually done so yet.
Information Commissioner Elizabeth Denham said, "We hope the law change will come to fruition soon to increase the tools we have to protect the public from this modern menace." The Department for Digital, Culture, Media and Sport had no direct answer as to when or if the law change might actually come into effect; it told The Register that it is ‘committed to working with regulators to make sure firm directors are held to account if they breach the rules'.
Without an update to the ICO's powers, even the more stringent GDPR penalties - up to four per cent of global annual turnover or €20 million - could end up being non-impactful.