ICO fines more than tripled this year

Regulator levelled more than £15 million in penalties in 2022

The total value of fines imposed by the Information Commissioner's Office (ICO) has more than tripled in the last year, according to analysis from international law firm RPC.

Between 1^st November 2021 and 31^st October 2022 the ICO issued £15,249,200 of fines - more than a three-fold increase from the £4,848,000 it levelled between 1^st November 2020 and 31^st October 2021.

The rise can mostly be attributed to just two fines, totalling several million pounds each.

The first punishment was a £7.5 million penalty against Clearview AI, charged with violating privacy laws.

The ICO fined Clearview £7,552,800 in May this year for using the images of people from the UK and other countries without their permission, to build a global online database that could be used for facial recognition.

In addition to a fine, the ICO also issued an enforcement notice to Clearview, requiring the firm stop collecting and using personal information about UK citizens that is readily accessible online, and to remove the information from its systems.

The second large-scale punishment issued in the last year was a fine of £4.4 million imposed on a construction business for failing to take reasonable precautions to safeguard the data of its customers from a cyberattack.

RPC analysis reveals the value of fines imposed on organisations related to personal data being stolen via a cyberattack, specifically, has almost quadrupled to November 2022: rising from £1,285,000 last year to £4,998,000 this year.

Richard Breavington, Partner and Head of Cyber & Tech Insurance at RPC, says the steep increase in the value of fines shows the ICO's increasing willingness to crack down on businesses that are not taking appropriate measures to protect customer and employee data.

"While the regulator took a more measured approach to sanctions during the pandemic, this attitude of forbearance appears to be changing.

"In order to maximise the chances of avoiding a penalty, businesses should ensure that they have proper procedures in place to deal with a data breach. The ICO will take this into consideration when deciding on enforcement."

The ICO is also punishing companies that use nuisance marketing tactics. Businesses were fined roughly £3 million for GDPR infractions such as sending unsolicited marketing emails and cold phoning clients who have requested to be removed from their marketing database.

Before the introduction of GDPR, the General Data Protection Act (1998) only permitted the ICO to levy a maximum punishment of £500,000 - a pretty toothless sum for multi-national firms. Now, the regulator can fine firms up to 4% of their worldwide annual turnover for violations, although the maximum fine is rare.

However, large firms have found the percentage-based system much more punishing. In October 2020, the ICO fined British Airways a record-breaking £20 million for failing to adequately protect customers' personal data.

Just two weeks later, the ICO fined Marriott Hotels £18.4 million for failing to secure client data.