Blog.

Unless you have been living on another planet this week, you won’t have missed the ICO’s big moment in the sun. The Information Commissioner’s Office (ICO) has imposed two massive GDPR fines in recent days. This enforces new changes to the penalties for data security breaches.

It’s a bit like waiting on Euston Road for the number 29 bus for 40 minutes, and then two buses arriving at exactly the same time. Two massive GDPR fines for two massive household brands. A record £183m for British Airways, for losing data on over 500,000 customers.

Then, £99m for Marriott Hotels, for losing data on over 30m customers residing in the EU ( with 339 million people impacted worldwide). As personal data becomes a greater concern, good data management is more important than ever.

Think back to before the new GDPR laws came into effect. The maximum penalties for companies after a data security breach were limited to a maximum of £500,000. Facebook was fined this maximum for their involvement in the Cambridge Analytica scandal back in 2017. In turn, this led many to question whether this maximum needed to be raised.

Where do ICO fines go?

Now, under the new laws, the maximum has been raised. Fines will now match €20m (roughly £18m), or 4% of their annual global turnover. From this recent news, it’s clear that the ICO will be enforcing these massive GDPR fines. In the fallout of this news, we’re left asking two main questions.

Where will all this money go, and will it be used to create a ‘Super Privacy Police Force’? Could we see a watchdog tasked with hunting for those companies that haven’t got their house in order (and are putting customer data at risk)?

According to ICO published figures, the watchdog currently employs five hundred people across multiple locations. This may seem like a lot at first glance. Yet, if you’ve ever had contact with them, the organisation doesn’t seem large enough to provide sufficient scrutiny on these large organisations.

At the time of writing, there only three current job vacancies advertised on its recruitment website. However, it’s not difficult to imagine the ICO kicking off a new recruiting spree after these successes.

ICO fines funding a GDPR task force?

The ICO in the UK states that it’s funded by the processing fees (which start at £40). In comparison, other countries across Europe utilise these data breach fines to supplement their own funding.

Will we see an increase in the Privacy Police in the UK? Certainly, the ICO have increased their scope recently to include AdTech. It doesn’t appear we are going to see any more privacy bobbies on the beat any time soon. However, I would certainly welcome an increase in the scrutiny around the use and storage of my personal data.

In the long run, GDPR will be a good influence for both companies and individuals. A customer-led approach helps you avoid massive fines while driving better business in the future.