GDPR was supposed to usher in a brave new world of bumper fines and data responsibility, but is the ICO making the best use of its powers?

The build up to the launch of GDPR was a bit like the wait for the millennium bug. Headlines warned of massive penalties comprising 4% of annual turnover. The industry braced for impact and then… nothing. The big fines failed to appear in 2018 leaving many to wonder if this, like the Millennium bug, would be a lot of fuss over nothing.

More recently, though, things have begun to pick up. We’ve seen big fines for British Airways and Marriot. Facebook faces potentially billions of dollars worth of fines for multiple investigations. Regulators have shown that although they see fines as a last resort, they are willing to go big when required.

Even so, we have not yet seen fines hitting the 4% limit as promised, but this in itself should not surprise us too much. The ICO never issued the highest possible fines under the old Data Protection Act. The severity of the breach and the level to which the company may be deemed to have been responsible have all influenced scale of the fines implemented.

Financial services worst hit

One area in which the doom mongers might have been right was in guessing that the financial services would be heavily hit. Data on enforcement actions seem to back this up as the financial sector received more GDPR penalties than any other. Overall, data suggested there have been 68 enforcement actions across the EU with 11 of those going to the financial services sector. The professional sector came second with seven fines followed by the public sector and healthcare.

Most fines issued (41) were due to breaches in the processing of personal data while 23 were issued for the lawfulness with which the data was processed. Three fines were issued for the way a breach was communicated to the regulators and one for the way in which the breach was communicated to the individuals.

Too early to tell

GDPR is beginning to have an impact but in many ways it may be too early to tell. The ICO only applied GDPR to breaches that occurred after the imposition of the new regulations. As such, most of the enforcement actions taken during 2018 were held under the older regulations. It is only in 2019 that we have really seen GDPR taking shape.

Across the continent regulators are also working to adapt their approach and some have been clearer than others.

A good guide comes from Dutch regulators who issued this guidance on how they will approach fines. It has three main categories:

  1. Simple or clerical violations which carry fines of €100,000
  2. When a company fails to fulfill specific GDPR requirements regarding data processing they will be fined at € 310,000
  3. The most serious instances come when a company refuses to be transparent and fails to notify users or the regulators. These attract fines of €525,000
  4. The unlawful processing of special categories of data €725,000

These are early days indeed, but regulators are showing a degree of understanding. They are less concerned with penalising basic errors as much as cracking down on those companies which have seriously broken the law, or shown a lack of transparency when problems do occur. This is why companies such as Facebook which have repeatedly faced questions for the ways in which it handles data, tend to come under the greatest scrutiny.