According to an analysis by the international law firm RPC, the Information Commissioner’s Office (ICO) received a record $ 42 million fine in fiscal year 2020/21.
That figure is mostly made up of fines imposed by the UK Data Protection Agency for two high profile data breaches that resulted in the personal information of millions of people being compromised. British Airways was fined € 20 million in October 2020.In the other case, the hotel chain Marriott International was fined € 18.4 million by the ICO in October 2020.
Both fines were significantly lower than the numbers originally proposed by the ICO, with the agency taking into account the economic damage that COVID-19 caused to these companies.
In addition to these blockbuster data breach fines, the number of harassment messaging and cold calling fines imposed by the ICO in 2020/21 has quadrupled year over year.
Richard Breavington, Partner at RPC, commented, “The ICO will clearly impose blockbuster fines if it wants big companies to sit up and take notice. Overall, however, the ICO was very fair in terms of the fines it set.
“The total number of cyber breach fines has remained fairly constant despite a sharp increase in the number of actual cyber attacks.
“At the beginning of the GDPR regime, there were concerns that the ICO would use its fine powers to the full, but so far it appears to only be fined as a last resort.
“The two heavy fines could have been higher, but the ICO appears to have taken into account and reduced the devastating effects of the coronavirus on the travel and hospitality sectors. However, companies shouldn’t become complacent. “
Under the General Data Protection Regulation (GDPR), the maximum fine the ICO can impose is £ 17.5 million, or 4% of a company’s total global annual revenue, whichever is greater.