As of 12th June 2023, the Information Commissioner's Office (ICO), the UK independent regulator set up to uphold information rights, has already imposed 31 enforcement actions on UK companies in 2023. This includes 7 monetary penalties, 15 reprimands, 7 enforcement notices, and 2 prosecutions. The total value of the monetary penalties so far this year is £13,460,000 and it’s not just big businesses that have received enforcement action.
What is the ICO’s approach to enforcement?
The ICO has been taking a more proactive approach to enforcement in recent years. In the 12 months to October 2022, the ICO issued a record number of fines, totalling £15.2 million. The ICO has said that it will continue to take a tough stance on data protection breaches and that it will not hesitate to issue fines to businesses that break the law.
The ICO's enforcement actions are a reminder to all businesses that they must comply with data protection law. Businesses that do not comply with the law could face enforcement action including significant financial penalties.
What areas do the enforcement actions cover?
The ICO's enforcement actions cover a wide range of data protection breaches, including:
- Failure to obtain consent (when it is necessary) before collecting personal data
- Failure to keep personal data secure
- Failure to only use personal data for the purposes for which it was collected
- Failure to delete personal data when it is no longer needed
What sanctions can the ICO impose?
The ICO has a range of sanctions that it can impose on businesses that breach data protection law.
These sanctions include:
Monetary penalties: The ICO can fine businesses up to £17.5 million, or 4% of their global turnover, whichever is higher.
Enforcement notices: The ICO can issue enforcement notices requiring businesses to take certain steps to comply with the law.
Public censure: The ICO can publish a statement on its website naming and shaming businesses that have breached the law.
Prosecution: In serious cases, the ICO can prosecute businesses for data protection breaches.
What large fines has the ICO imposed recently?
Here are four examples of large fines issued recently by the ICO:
- In April 2023 TikTok Information Technologies UK Limited and TikTok Inc. (TikTok) were fined £12.7million for a number of breaches including misusing children’s data.
- In October 2022 Interserve Group Limited was fined £4.4 million for a data security breach that resulted in the personal data of up to 113,000 employees being compromised.
- Also in October 2022 catalogue retailer Easylife Limited was fined £1,350,000 for failing to process personal data lawfully, fairly and in a transparent manner.
- In May 2022 Clearview AI Inc. was fined £7,552,800 for scraping and storing images of people from the internet without their consent.
Are data protection regulators only targeting big businesses?
Sometimes data breaches by big businesses make the headlines, particularly when huge fines are imposed. The Irish Data Protection Commission has recently fined Meta Platforms Ireland Limited (Meta IE), (known as Facebook), €1.2 billion (c.£1 billion) for violating EU data privacy rules.
However, the ICO has recently taken enforcement action against UK businesses of all sizes for breaches of data protection law. The ICO has made it clear that smaller businesses are not exempt from penalties and sanctions.
What enforcement action has the ICO taken against smaller UK businesses?
In June 2023 the ICO fined Maxen Power Supply Ltd £120,000 for making unsolicited calls to people on the Telephone Preference Service (TPS) register. The TPS is a database of individuals who have specifically registered not to receive speculative sales calls. The business had been selling energy products and had made over 500,000 calls to people who had specifically asked not to be contacted.
Recruitment website operator Join the Triboo Limited was fined £130,000 in April 2023 for sending marketing emails to individuals without valid consent.
In May this year, Ice Telecommunications Limited was fined £80,000 for making unsolicited business calls to businesses registered with the Corporate Telephone Preference Service (CTPS) and TPS.
What steps should UK businesses take to comply with UK GDPR?
The UK GDPR is broadly similar to GDPR across Europe and some of the basic things that UK businesses can do to be compliant include:
- Appointing a data protection officer (DPO) or otherwise allocating responsibility for data protection to a responsible person.
- Conducting a data protection impact assessment (DPIA).
- Only collecting personal data that is necessary for the purpose for which it is being collected.
- Keeping personal data accurate and up-to-date.
- Storing personal data securely.
- Deleting personal data when it is no longer needed.
- Reporting data breaches to the ICO.
How 3CS can help
One way we can help you is by conducting an annual compliance check. This is an effective way of assessing your data protection compliance to identify areas of risk. It is similar to a full data protection compliance review but is a more cost-effective process that can be carried out more flexibly.
For further help and advice on compliance checks or any data protection matter, please get in touch with your usual 3CS contact.