What Are the Biggest Fines Handed Down by the ICO in England?

The General Data Protection Regulation (GDPR) is England’s primary source of data protection rules. Therefore, it is essential for your business to comply with GDPR rules to avoid receiving a fine. The Information Commissioner’s Office (ICO) is an independent body empowered to fine organisations breaching the GDPR. This article will explore some of the largest fines the ICO has issued to organisations in recent years. While the large fines detailed in this article are rare, your business should consider precautionary measures you can implement to avoid committing a significant personal data breach.

When Will the ICO Issue Fines?

The GDPR is essential to UK law and data and privacy protection. Consequently, any severe breach should result in serious consequences. The Information Commissioner’s Office (ICO) is the primary body responsible for investigating data breaches and handing down fines. 

The ICO may issue a fine against your company if it:

• commits a data breach involving the personal data of individuals;
• carries out unlawful monitoring of staff and third parties on your premises;
• stores sensitive information for too long without good reason;
• fails to answer or correctly process Subject Access Requests (SARs);
• fails to report a serious data breach to the ICO within 72 hours;
• fails to store personal information concerning staff and customers safely; or
• unlawfully leaks personal or sensitive information to others without the consent of the individuals it belongs to. 

Largest Fines Awarded by the ICO 

Currently, the five largest fines issued by the ICO for breach of data protection law add up to nearly £50m. That is a sizeable proportion of the annual global turnover for the organisations affected. The ICO chose those figures to deter organisations from failing to take sufficient security measures concerning customer data in the future.

Let us run through each fine and the nature of the UK GDPR breach below.

British Airways Fine: £20m

The ICO found that British Airways lacked adequate security measures to guard against cyber attacks. Eventually, this led to a cyber attack in 2018, which took British Airways over two months to find. Here, the fine was so significant because adequate IT security would have prevented the cyber attack, which subsequently leaked the personal and financial details of more than 425,000 customers.

This currently stands as the ICO’s largest fine to date.

Marriott Hotels Fine: £18.4m

In 2018, the ICO discovered that a 2014 cyber attack had leaked 339 million guest records worldwide. They concluded that Marriott Hotels failed to protect the stolen data adequately. Given that the stolen information contained names, phone numbers, email addresses and passport numbers, the ICO felt it essential to provide a considerable fine.

In this case, the Information Commissioner said, “Personal data is precious and businesses have to look after it.”

Clearview AI Fine: £7.5m (approx.)

The ICO fined Clearview AI just over £7.5m for collecting images from the internet and social media for a global face recognition network. Clearview AI obtained the photos without the consent of individuals. Since their global database contained approximately 20 billion images, this was a significant breach of GDPR rules.

Ticketmaster Fine: £1.25m

The ICO found that Ticketmaster had failed to ensure appropriate security on its electronic payment page on its website. Consequently, hackers obtained sensitive financial information including names, credit card numbers and CVV relating to 1.5 million UK citizens.

Cabinet Office Fine: £500k

The ICO awarded this fine to the Cabinet Office for the well-publicised postal address leak of the 2020 New Year Honours recipients. Accordingly, the failure to protect this information led to the leaking of over 1000 home addresses online. Furthermore, many high-profile individuals were among the victims.

Are All ICO Fines Significant?

Not all ICO-issued fines will be significant. However, the examples above reflect the substantial harms caused by data breaches and the ICO’s strict consequences for non-compliance. Accordingly, ensure your business has strong measures in place to store critical data and safely delete information if need be.

For example, ensure your business has:

• protective passwords to secure information;
• anti-virus software against potential hackers;
• clear policies relating to how your business stores, manages and deletes information;
• procedures for individuals to request information relating to them; and
• other relevant measures that are reasonable to install.

Data breaches can happen to any business, regardless of its size. On the whole, the surest way to protect yourself and avoid ICO-issued fines is by taking active steps to protect your data.

Key Takeaways

The ICO stresses that it will use its powers of financial penalty when justified. The organisation is strict regarding failures in IT security or noticing cyber attacks. However, the ICO are generally lenient toward smaller companies and businesses they are investigating for the first time.

The best advice to protect your commercial interests and avoid ICO-issued fines is to comply with all data protection rules. You can do this by reviewing the guidance documents on the ICO website, including the ICO Employment Practices Code.

If you need help with data protection rules and ICO investigations into alleged breaches of the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions