Home Knowledge Number of Companies Fined for Data Breaches Doubles in UK – A Sign of Things to Come

Number of Companies Fined for Data Breaches Doubles in UK – A Sign of Things to Come

June 28, 2017
Partner
Leo Moore

 

The number of companies in the UK fined for data breaches went from 18 to 35 while the fines themselves have almost tripled since 2014. There was also an increase in the ICO’s issuing of enforcement notices from 9 to 23.

The trend of more and harsher fines by the ICO appears to be continuing this year as Gloucester City Council were fined £100,000 in June for a data breach that occurred in July 2014. The breach took the form of a hack into the council’s mailbox through its website in which 30,000 emails containing the personal information of staff were downloaded.

These developments coincide with the one year countdown to the General Data Protection Regulation (GDPR) which will take effect in May 2018 and will further empower the ICO, the Irish Data Protection Commissioner and other European authorities to increase fines and make use of investigatory powers.

While the ICO has been empowered to issue fines since 2010, the GDPR will provide the Irish Data Protection Commissioner with this power for the first time.

Additionally, and following the National Health Service’s recent cybersecurity vulnerability in the wake of the wannacry ransomware attack, research indicates data breaches in the health sector in particular are on the increase.

The ICO’s total figure of £3.245m in fines is rivalled in Europe only by Italy (€3.3m) while US data breach fines dwarf this figure at $250m for 2016. However, fines across the EU will significantly increase as the GDPR provides for fines of up to 2% of annual turnover or €10m and up to 4% of global annual turnover or €20m.

The UK Information Commissioner Elizabeth Denham has promised harsher penalties in future for non-compliance. According to Denham, the implementation of the new regulatory powers of the GDPR will require a 40% increase in staff numbers for her office in the next two years.

Similarly, in Ireland, the recent General Scheme for the Data Protection Bill 2017 has highlighted that the GDPR will lead to an increase in “resource intensive” cases. The Scheme envisions the possible appointment of three Data Protection Commissioners (DPC), along with an increase of staff at the DPC already underway, to meet this challenge.

Factors which could compound these challenges for the Office of the Data Protection Commissioner include the possible shift of data processing business traffic to Ireland due to Brexit.

While some of the mechanics of how the data supervisory authorities will operate in Ireland and the UK are still being determined, it is clear already that enforcement and fines will only increase under GDPR.

Contributed by: John Magee

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all