Lock down your data – or get the cheque book out: ICO privacy violation fines are rising, say lawyers

Violating Europe's General Data Protection Regulation (GDPR) rules is a costly mistake that is only getting more expensive, according to lawyers totaling up fines from the UK's Information Commissioner's Office (ICO).

Law firm Reynolds Porter Chamberlain (RPC) today said it has been tracking ICO fines since 2016 and has found that, over the four-year period, the average amount of money taken from punished violators has tripled from £73,645 ($92,560) to £216,200 ($271,730). Most of the increase, says RPC, is the result of the GDPR.

Since the privacy regulations were activated in May 2018, the ICO fined businesses an estimated £5.96m, and the average penalty went up 194 per cent, the law firm says. We note that although the ICO can fine organizations, the money isn't always coughed up.

And that total is set to grow substantially over the short term, thanks to planned penalties of £183m ($230m) against British Airways and £99m ($124m) against Marriott for their respective data fumbling.

The overall increase, say the legal eagles, is not a coincidence. The ICO is making a point of going after big business in order to send a message.

"This suggests that the ICO is being selective about its enforcement targets," said Richard Breavington, a partner at London-based RPC. "However, this new wave of blockbuster fines that the ICO has said it plans to impose shows that pressure on businesses is only likely to increase."

While this will be welcome news to everyone tired of the endless parade of careless companies spilling people's private information, it is a prospect that will keep many business owners up at night. Particularly now that so many employees find themselves working remotely due to the pandemic, far away from the security controls of their corporate networks.

Breavington reckons that the work-from-home transition is only going to mean more lapses in data security and an increase in companies running afoul of GDPR.

"Although many businesses now have robust systems in the workplace to protect against hackers, some might not have the same measures in place to protect against staff working from home," he said. "In addition, there is nobody on the ground to enforce basic protocols to protect against hacking."

That being said, the ICO has also suggested [PDF] it will be easing up a little on those who leak data while short-staffed and outgunned by hackers amidst the pandemic.

The office says it will be showing some restraint in who it goes after for fines over the next few months.

"As a public authority, we must act in a manner which takes into account these circumstances," the ICO says. "The law gives us flexibility around how we carry out our regulatory role, which allows us to recognise and engage with the unique challenges the country is facing." ®