The ICO has the power to fine companies up to £500,000 for breaking the rules and they are increasingly active in their efforts to cut offences.
2017 saw an annual increase in fines of 58%, from £2.9 to £4.9 million. When GDPR comes into effect on May 25th, the ICO’s powers will increase still further, with the maximum possible fine rising to 20 million Euros or 4% of global turnover, whichever is the greater.
Nearly 50% of all fines for nuisance calls
ICO fines analysis, compiled by The SMS Works, revealed nuisance phones calls attracted 33 separate fines, accounting for 46% (£4,017,000) of all fines handed out since August 2015.
Millions of consumers have been plagued by spam phone calls at their home address, largely due to automated dialling technology that allows companies to intrude on people’s lives without human intervention.
One of many notable nuisance call fines was handed out to Keurboom Communications in May 2017. They were fined £400,000 for making an astonishing 99.5 million phone calls to people at home.
Commenting on the case, Steve Eckersley Head of Enforcement at the ICO said,
These calls have now stopped but our work has not. We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails.”
Email offenders operating beneath the radar
While the average fine for SMS spam is a hefty £108,000, email spammers have been treated far more leniently, with the average fine for email breaches standing at a more modest £40,000.
Overall, e-mail offenders are also being punished far less frequently, with just 7 fines being issued since August 2015, 6.7% of all fines. Email spam fines total just £241,250 compared to the SMS spam total which stands at £1,539,500.
SMS spam fines are also more common, with 23 companies having been fined, making up 22% of all fines.
This difference in the penalty figures may in part be due to the fact that SMS spam is far more intrusive than email spam and is more likely to result in a consumer complaint. Junk mail has been part of our lives for so long that we’ve been become conditioned to it and have put in place filters and folders to keep it at bay.
Data breaches attract the highest number of fines
41 companies and organisations have been fined for data breaches since August 2015. This accounted for 34% (£2,996,501) of all fines.
Telecoms giants in particular have been found to have inadequate data security measures in place. As well as the recently reported £400,000 fine handed to Carphone Warehouse, Talk Talk Telecom was also found to have been open to cyber attack.
In October 2016, they were also presented with a £400,000 fine for security failings that allowed cyber criminals to download the personal details of 155959 customers and the bank details of 15656.
Commenting on the case, Elizabeth Denham, Information Commissioner said,
TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
Financial services incur largest number of fines
23% of all fines were dispatched to the financial service sector, more than double the number of the second most fined sector.
Charities were surprisingly second in the hall of shame, attracting 10.5% of fines.
For charities, the fines were mainly for data breaches where they had been sharing donor data with other organisations, without the correct consent having been obtained.
The practice of ‘data enriching’, where donors can be profiled more accurately by combining information from multiple sources is likely to become more problematic when GDPR comes into effect.
A bright outlook for consumers – bleak for spammers
Companies that are thinking of breaking the rules will find little room for manoeuvre in a post GDPR world.
The fines data should act as a wake-up call to all companies and organizations that process and handle consumer data. The clock is ticking and companies that haven’t done so already, need to urgently address data security before the deadline.
The risks for marketers strongly outweigh any perceived reward and ignorance of the rules will be no defence. It is the responsibility of organisations of all sizes to make sure that all their activities are compliant with the new regulations in time for the May 25th deadline.
All this might mean we’re on the brink of a new spam-free era, where our personal data is secure and our junk folders oddly empty.