To mark the one year countdown to the enforcement of GDPR new research from Alchemetrics has revealed that ICO fines could increase by 4500% following the introduction of the new legislation on May 25, 2018.
In the last year (May 2016–May 2017) the ICO issued sanctions to 49 organisations totalling £3.5m. However, under the new EU Directive, the ICO will have the power to fine organisations up to four per cent of their annual global turnover. This amounts to over £150m when applied to the organisations fined over the last 12 months.
Marketing companies received the highest penalties totalling £1m. Claims companies and finance organisations were the second and third highest payers, with £640,000 and £470,000 being shelled out respectively. Charities received the highest number of fines (13) for their use of data matching, wealth screening and data sharing. However, these amounted to an average of just £14,000 each or 0.01% of their average yearly donations. TalkTalk received the largest penalty ever issued by the ICO (£400,000) for its high-profile data breach. But under GDPR the company could have found itself facing a £72m bill. In terms of locations, organisations based in the north-west were fined the most (£1m), followed by those registered to the south-east (£752,000) and London (£693,500).
The fines covered an estimated 15,214,514 spam texts, 3,589,790 spam emails and 150,600,266 unsolicited calls. Additionally, charities were penalised for 4,183,152 incidences of data matching, 32,266,985 incidences of wealth screening and 9,108,678 incidences of unfairly sharing donors’ details with other charities. Amongst the fines there were also 12 cases of data protection/data breaches. These included failing to remove sensitive information from a filing cabinet after giving it to charity, the loss of unencrypted witness DVDs in the post and breaches in online security.
“Whilst it is unlikely that the ICO would issue fines amounting to four per cent of global turnover; given that many of the penalties issued over the last 12 months were less than 0.01 per cent, this research serves to highlight just how serious a breach of GDPR could be to all organisations – small and large alike,” said David Gurney, Manging Director, Alchemetrics.
“For many businesses a fine of this magnitude could be catastrophic. It is crucial therefore that businesses use the time they have left to bring in outside expertise to help them not only become compliant; but to stay compliant.”