A law firm which offers more

Call us: 0113 246 0622

The rise of GDPR fines - Could your business be at risk?


The UK’s Information Commissioner’s Office (ICO) has, for the first time, used its powers under the General Data Protection Regulation (GDPR), to fine companies which have failed to protect their customers’ data.

Two companies, British Airways (BA) and Marriott Hotels, were fined by the ICO for failing to prevent hackers from stealing their customers’ information. BA was hit with a record £183.4m fine, whilst Marriott was charged with the equally eye-watering sum of £99.2m. With these fines, the ICO appears to be making it clear that breaches of data protection law will be taken seriously, and the size of the fines issued will reflect this.

These actions would also appear to be part of a more general trend - one that was starting to emerge even before GDPR came into effect - of an increase in the number and amount of fines being issued, with the ICO twice imposing the maximum monetary penalty possible under GDPR’s predecessor, the Data Protection Act 1998.

General trend in data protection – an increase in fines

And it’s a trend that is not just evident at the ICO in the UK. An increase in the penalties that can be handed down by data protection authorities is a trend that is being seen across the board, and around the world.

This is thanks, in part, to the introduction of GDPR, which raised the stakes for data protection around the world. Subsequently, at least ten other countries, including Argentina, Australia and Brazil introduced legislation increasing the penalties organisations face for failing to protect customer data, ranging from hefty fines to imprisonment. Brazil and Australia, for example, have penalties of more than $1,000,000 per violation, while Mexico, Indonesia and the Philippines can impose fines of between $100,000 and $1,000,000.

In the US, consumer protection agency the Federal Trade Commission (FTC) recently levied a record fine of $5bn on Facebook for its role in the Cambridge Analytica scandal. This is the largest fine imposed by the FTC against a technology company, and the largest ever against any company for a privacy violation.

And, of course, earlier this year, the French data regulator Commission Nationale de l’Informatique et des Libertés issued a €50m fine (£44m) to Google under GDPR for not sufficiently informing the public of how they collected data to personalise advertising.

Why are GDPR regulatory fines increasing?

While the penalties may vary from country to country, the increase in fines is delivering a clear message: data protection is becoming a greater focus around the world and, because of this, the penalties for non-compliance have become more serious.

The UK’s ICO, which was in the past viewed as understaffed and underpowered, has seen its average staff numbers increase by a third - from 480 to 638 year-on-year, in line with its increased powers under GDPR - and its role is now viewed as utterly critical in the digital age. As head of the organisation, Information Commissioner Elizabeth Denham, has said the introduction of GDPR “…saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected.”

Ultimately, there is a distinct and identifiable trend among data protection regulators, including those from a variety of countries and subject to various different laws, of imposing better control over data usage - and they are doing it through the power of increased penalties.

What this regulatory landscape means for your business

Given the trend for increasing fines, we expect to see much greater and more high-profile penalties being imposed as the ICO, and other data protection authorities around the world, flex their muscles thanks to the powers awarded under GDPR, or the GDPR-inspired rules in their country.

And it’s not just larger, international companies that are at risk of being penalised. SME businesses which fail to comply with GDPR, or the relevant data protection authority, run an equal risk of being hit with a large fine – up to a maximum of €20m or 4% of annual turnover, whichever is bigger. The size of the fine is determined by a range of factors including:

Companies may therefore want to double-check their compliance plans:

If you’d like to discuss any of the information that appears in this blog, please contact a member of our Commercial and IT Team.


Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.