The ICO finally bears its teeth

Unless you have been living on another planet this week, you won’t have missed the ICO’s big moment in the sun. The Information Commissioner’s Office (ICO) has imposed two massive GDPR fines in recent days, enforcing new changes to the penalties for data security breaches.

It’s a bit like waiting on Euston Road for the number 29 bus for 40 minutes, and then two buses arriving at exactly the same time. Two massive GDPR fines for two massive household brands: a record £183m for British Airways, for losing data on over 500,000 customers; and £99m for Marriott Hotels, for losing data on over 30m customers residing in the EU ( with 339 million people impacted worldwide).

Before the new GDPR laws came into effect, the maximum penalties for companies after a data security breach were limited to a maximum of £500,000. Facebook was fined this maximum for their involvement in the Cambridge Analytica scandal back in 2017, leading many to question whether this maximum needed to be raised.

Now, under the new laws, the maximum has been raised to match €20m (roughly £18m), or 4% of their annual global turnover – and it’s clear that the ICO will be enforcing these massive GDPR fines. In the fallout of this news, we’re left asking two main questions: where will all this money go, and will it be used to create a “Super Privacy Police Force”, tasked with hunting for those companies that really haven’t got their house in order (and are putting customer data at risk)?

According to ICO published figures, the watchdog currently employs five hundred people across multiple locations. This may seem like a lot at first glance, but if you’ve ever had contact with them, the organisation doesn’t seem large enough to provide sufficient scrutiny on these large organisations.

At the time of writing, there only three current job vacancies advertised on its recruitment website, but it’s not difficult to imagine the ICO kicking off a new recruiting spree after these successes. The ICO in the UK states that it’s funded by the processing fees (which start at £40), but other countries across Europe utilise these data breach fines to supplement their own funding.

Will we see an increase in the Privacy Police in the UK? The ICO have certainly increased their scope today to include AdTech. It doesn’t appear we are going to see any more privacy bobbies on the beat any time soon, but I would certainly welcome an increase in the scrutiny around the use and storage of my personal data. In the long run, GDPR will be a good influence for both companies and individuals; a customer-led approach helps you avoid massive fines while driving better business in the future.

Tim Connold