Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.
The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.
According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.
After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.
Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.
“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”
In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.
“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.
“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”
Data protection officer Steve Wright said that the drop in enforcements is in contrast to the “sheer quantity of notifications” which has gone up ten fold since May last year. “The ICO are possibly struggling to cope with the sheer weight of notifications, as each one requires trained individuals to examine the notification and the evidence provided (so heavily dependent upon manual inspection),” he said.
“When I was the DPO for a major retailer, the number of Subject Access Requests, complaints and new ‘Rights’ requests had gone from 250 per year to 1800 within six months (in 2018). That presented us with a huge challenge and cost; the amount of planning, process improvement, recruitment and training was nothing short of a huge military style exercise, and fortunately we were prepared for the drop date.
“I’m told this number has now stabilized and is expected to hover around the 1500 unique request per year, but still six fold increase and therefore a new cost of doing business with consumer data is and has hit the consumer facing businesses particularly hard.”
Wright also said that the ICO “has been on a massive learning curve” as the level of understanding about what it deems to be ‘notifiable’, and the ability to sort out the real issues (based on impact to the individual) from the noise, has taken time to learn.
“It stands to reason that just like any business, keeping up with demand is difficult to predict and manage. It also raises the prospects of less enforcement actions, but more interesting and prevalent cases that we can (as an industry) learn from.”