The Complete Guide to ICO Fines

Fines top £23.5 million as ICO cracks down on data breaches and spammers

Since 2010, The Information Commissioner’s Office has handed out an eye-watering £23.5 million in fines to organisations found to have been breaking the rules on spamming or failing to look after consumer data.

Before we dive and look at the fines data, just a quick recap.

What is the Information Commissioners Office or ICO?

The ICO website has a rather tortuous summary of what they do on their homepage.

What that actually means is that they are the UK authority that oversees how consumer data is handled. They have the power to hand out hefty fines to companies that break the rules on spam or data protection.

The fines that the ICO have the power to hand out, fall into 4 main categories

• Data Breaches
• Nuisance Calls
• SMS spam
• Email spam

As the scope of their work has gathered pace, so the organisation has swelled in numbers. When the organisation first started in 1984, they had just 10 members of staff. The ICO now employs of 700 across 4 UK offices.

They are headed up by Elizabeth Denham, the grandly titled Information Commissioner. A native Canadian with an impressive background in all things data protection,

it’s her job to implement GDPR and is ultimately responsible for sanctioning the fines.
 
She has repeatedly laid out  her intention to crack down hard on organisations that fail to look after customer data. 

“When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

How much can the ICO fine companies for data breaches or spam?

Until GDPR became law in May 2018, the maximum fine that they could hand out was £500,000.
Under the new rules that has soared to 20 million Euros or 4% of global turnover.

It hasn’t taken too long for the ICO to wield its new found powers.

In summer 2019, They announced their intent to fine British Airways £183 million pounds for allowing unauthorised access to around 500,000 of its customer records, including payment details.

Just 2 days later, it was the turn of Marriott Hotels to receive a mauling and a monster fine. Their penalty of £99 million was for an equally inept leak of around 339 million customer records.

The complete ICO fines analysis from 2010 – 2019

The ICO helpfully publish details of all the fines they hand out along with details of the organisation and the precise reasons for the fine.

While the information that they release is pretty comprehensive, they don’t really provide any analysis. 

This research by The SMS Works excludes the 2 massive fines that British Airways and Marriott received in summer 2019.

The ICO has announced its intent to hand out the fines, but both are unsurprisingly being appealed, so don’t yet appear on the ICO’s website as actual fines.

ICO fines rise by 450% over 5 years

Excluding the 2 monster fines of 2019, the ICO has issued 216 fines totalling £23.5 million.

In the past 5 years, fines have risen 450%, from £1.15 million in 2014 to £6.3 million in 2018.

This rise is likely to accelerate as post GDPR data breaches and spam offences come to light and fines are issued.

Interestingly and perhaps surprisingly given the hype surrounding GDPR, 2019 has been a quiet year for fines. In the first 9 months, only 13 fines have been issued. During the same period in 2018, that figure was up to 29.

The total number of fines has also been on the rise, as well as the total amount fined. In 2011, just 11 organisations received an ICO fine. By 2017 the number had surged to 52, a rise of 372% over 4 years. 

Data breaches account for over 50% of all monetary penalties

Of the four main offence types, data breaches, email, SMS and nuisance calls, data breaches are by far the most fined offence. Since 2010, 110 fines have been handed out for data breaches, that’s 50.9 % of the total.

Nuisance calls, undoubtedly the most invasive of the 3 spam offences, make up 27% of all fines, with SMS spam representing a modest 16% of the total.

Email spam offences are the least fined, with just 13 fines being handed out over the same period or 6%

Data breaches attract £12.5 million in fines

The total amount fined for each type of offence reflects the numbers of fines figures.
Once again data breaches dominate with a £12.6 million in fines or 54% of the total figure

The fines for nuisance calls are more than double those of SMS and email combined.

Company fined £400,000 for making nearly 100 million nuisance calls.

The largest fine for a nuisance call campaign was issued to Keurboom Communications Ltd in May 2017.The company was responsible for a staggering 99.5 million calls to UK consumers.

In his typically forthright manner, Steve Eckersley, head of enforcement at the ICO said:

“Keurboom showed scant regard for the rules, causing upset and distress to people unfortunate enough to be on the receiving end of one its 100 million calls.
These calls have now stopped – as has Keurboom – but our work has not. We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails.”

Email spam slips under the radar

Since 2010, just £635,000 were for email spam offences, a very modest 2.8% of the total. And only 13 fines in total.

Public sector organisations responsible for over 27% of all fines

Contrary to what you might expect, public sector bodies receive far more fines than any other type of organisation. 

60 fines have been handed out to the public sector, over 27% of all fines that’s nearly double those in the financial services sector which is often cited as the worst culprit for ICO offences.

Those 60 fines have raised more than £7.3 million fines and represent 31% of the total amount fined.

Out of the 60 public sector fines,12 of them were handed out to the NHS and 9 to the The Police. All public sector fines were for data breaches.

54% of all data breach fines were handed out to Public Sector organisations

Focusing solely on the fines for data breaches, the public sector is responsible for 54% of all fines. The 60 fines have raised more than £7.3 million and represent 31% of the total amount fined for data breaches.

Local council were responsible for half of all data breaches.

It seems that public sector organisation have trouble holding on to and adequately looking after devices that contain sensitive or personal information. On 18 separate occasions, departments have either lost laptops, USB drives or folders containing sensitive information.

They have a habit of leaving offices buildings empty except for desks and a few cabinets still containing personal data. On one occasion a filing cabinet was sent to an office supplies auction still stuffed with files containing sensitive personal data.

None of the public sector data breach fines was for a data leak following a successful hack. All were down to human error of some sort.

PPI and accident claims calls continue to be a public menace

Most of us wonder how PPI and accident claims calls can ever have worked. There are massive call centre costs and the conversion rate must be infinitesimal.

Think of the cost of trying to recruit for this sort of call centre, I can’t imagine there would be many takers.

But it must be working because companies persist in these type of cold calling campaigns, paying no regard for consumers’ distress or anxiety at being pestered in this way.

The ICO continues to bring these unscrupulous companies to account, having fined 4 claims companies in 2018 and 2 up to September 2019.

£350,000 fine for nuisance caller

One of the largest fines for PPI was given to a company who made 75 million calls in just 4 months.
The ironically named, Miss-sold Products UK, were fined £350,000 for completely ignoring the rules on marketing calls.

Commenting on the case Andy Curry, ICO Group Enforcement Manager said:

“This company blatantly ignored the laws on telephone marketing, making a huge volume of intrusive calls over a short period of time and without any apparent attempt to ensure they had the consent of the people they were harassing.

The ICO will come down hard on rogue operators who want to treat the law and the UK public with contempt.”

Home improvements companies under scrutiny

The home improvements sector is not one that you’d readily associate with bad business practice. It has however been on the end of 28 separate fines totalling £3 million.

All the offences were related to illegal cold calling consumers at their home address. 

The companies were mainly involved in the selling of solar power and home security equipment.
The largest fine issued to a home improvement company was £250,000, given to The Energy Saving Centre Ltd.

They were caught phoning an astonishing 7 million people, many of whom who had already registered with The Telephone Preference Service. 

Their intrusive campaign generated 1138 complaints.

Lack of clarity in ICO fines process?

Examining the amount that some organisations are fined, raises the question of whether the fines process is fair and equal.

Looking at fines for SMS spam, there is a massive variance in how much the ICO fined different companies for SMS spam offences.
There seems to be little correlation between how many texts were sent and the size of the fine handed out. 

The number of complaints that a spam campaign generated could be used a measure of how much irritation or inconvenience the SMS caused. 

But the number of complaints received doesn’t correlate to the fine that the ICO thought appropriate.

A harsh fine for EE

For example, the mobile phone operator EE was handed out a £100,000 fine for inadvertently breaking the rules on sending SMS. 

They had sent a text to 2.5 million customers that combined a service message with direct marketing, when they hadn’t obtained the correct opt-in for the marketing part of the message.

In their ruling, the ICO explicitly stated that  

“EE Limited did not deliberately set out to breach electronic marketing laws”. 

The SMS campaign generated no complaints at all.
It was simply a genuine bulk SMS campaign to existing customers

For each message sent, EE were fined 4 pence.

Spammer gets away lightly

By contrast, a company called Tax Return Ltd, sent 14.8 million texts, blatantly blanket spamming huge swathes of the population.

The campaign generated an astonishing 2146 complaints, giving a strong indication of the seriousness of the offence.

They were fined just £200,000 for this massive scale spam campaign.

For each text they sent, they were fined just 1.35 pence, a third as much as EE, despite the hugely more serious offence.

There’s an evident lack of clarity as to how the ICO fines companies for spam and the inconsistencies appear quite dramatic.

This inequity raises questions about whether the ICO, should reveal the basis on which they fine organisations and whether the whole process should be more transparent.

It could be argued that the ICO is making an example of high profile companies while spammers that are causing genuine distress are getting off more leniently.

Uncharted waters, post GDPR

After a relatively quiet period immediately after GDPR came into force, we are now starting to see the numbers of fines for offences committed post GDPR increasing.

The first 2 monster hammer blows for British Airways and Marriott Hotels demonstrate that the ICO will be delivering on its promise to come down hard on companies that don’t look after personal data correctly.

Those 2 data breach fines alone are 12 times as much as the ICO has fined for all offences since 2010.

It’s a sobering thought.

Fines of this size would wipe out most companies and it’s hard to fathom how the ICO can be seen to be being fair if they don’t deploy the same ruthless approach as they have with BA and Marriott.