Research carried out by The SMS Works has revealed that the ICO issued more monetary fines for data breach offenses between 2011 and 2019 than for other offenses like email spam, nuisance calls, and SMS spam.
A detailed analysis into the quantum and nature of fines issued by the ICO has revealed that while organisations were fined a total of £12,672,750 for data breach offenses, they were fined £7,330,000 for making nuisance calls, £2,949,000 for spamming people with SMS, and just £653,500 for carrying out email spam.
The analysis did not include the £183 million fine issued to British Airways and the £99 million fine issued to Marriott International as these are presently being appealed by the respective companies.
Since 2010, not only did the ICO increase its workforce remarkably, employing 700 people across four UK offices, the quantum and the number of fines issued by it also rose consistently over the years. Between 2014 and 2017, the number of organisations fined for various offences rose from 11 to 19 to 32 to 52 and fines issued to them rose from £1.15 million in 2014 to £6.3 million in 2018.
Even though the 1998 Data Protection Act empowered the ICO to fine organisations a maximum of £500,000 for various offenses, very few organisations have had the misfortune of being fined the maximum amount, the only two to have suffered this fate are Facebook and Equifax.
Despite the low amount of fines issued on a case-to-case basis, the ICO still ended up fining organisations a total of £23.5 million between 2011 and 2019. Unsusprisingly, £12.6 million in fines were issued for data breach offenses and the number of such offenses formed 51 percent of all offenses that attracted the ICO’s ire.
Public sector organisations attracted the most fines from ICO
In terms of fines issued by sector, public sector organisations attracted a total of 60 fines since 2010, vastly more than those in the financial sector who attracted a little over 30 fines in the period. Companies in the claims management and home improvement sectors attracted more than 20 fines in the period.
“Those 60 fines have raised more than £7.3 million fines and represent 31% of the total amount fined. Out of the 60 public sector fines, 12 of them were handed out to the NHS and 9 to The Police. All public sector fines were for data breaches,” the firm said, adding that the public sector is responsible for 54% of all fines, that local councils were responsible for half of all data breaches, and that all data breach incidents involving public sector organisations were down to a human error of some sort.
Even though the ICO has fined companies across all sectors for various offenses since 2010, the analysts bemoaned a lack of consistency in how the ICO decides the quantum of fine issued to different organisations.
For example, while EE was fined £100,000 for inadvertently breaking the rules on sending SMS, attracting a fine of 4 pence for each SMS sent, a company called Tax Return Ltd was fined just £200,000 for sending 14.8 million texts and the amount translated to just 1.35 pence per SMS sent.
“This inequity raises questions about whether the ICO, should reveal the basis on which they fine organisations and whether the whole process should be more transparent. It could be argued that the ICO is making an example of high profile companies while spammers that are causing genuine distress are getting off more leniently,” they noted.