UK fines for data breaches double to £3.2 million, GDPR to lift bill further

20 June 2017 3 min. read
More news on

New analysis by PwC has found that UK data protection breaches have resulted in a collective fine bill of £3.2 million last year. The firm also predicts the bill is likely to rise if many firms fail to comply with the new General Data Protection Regulation due to become law across Europe in 2018.

The number of fines for breaching UK data protection laws almost doubled in 2016 to 35, with a combined total of £3.2 million.

While it was one of the most active regions in Europe for regulatory enforcement last year, the number of fines in the UK is expected to boom further over coming years with the new General Data Protection Regulation set to become law across Europe in 2018. Under the updated rules, UK organisations risk even larger fines.

In their General Data Protection Regulation (GDPR) readiness survey, examining the recent rise in enforcement, PwC first analysed the UK Information Commissioner’s Office (ICO) data protection actions over the past five years. The Big Four group specifically looked at monetary penalties, enforcement notices, prosecutions and legal undertakings. The analysis for 2016 found that that 23 enforcement notices were issued in 2016 – when organisations are required to take steps to ensure compliance after a data breach – a 155% increase on the nine notices issued in 2015.

Monetary Penalty Notices issued by the ICO: 2011-2016

Upward trend

The consulting firm also performed more than 150 GDPR readiness assessments with clients around the world, many of whom struggled naming a place to start with preparations. Researchers stated many respondents seemed unaware of how to move programmes beyond just risk reviews and data analysis, to delivering real operational change, suggesting a further rise in data protection fines is to be expected unless companies enact radical change in their business plans.

This would fit the current upward trend, in which breaches of UK data protection laws during 2016 attracted thirty-five fines totalling £3,245,500 - almost double the 2015 total of 18. Now with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to comply with the GDPR.

Privacy Enforcement in the UK: Analysis of ICO statistics

PwC’s recent CEO Survey meanwhile found that while CEOs also anticipated a decreasingly globalised outlook in global markets, 90% of respondents around the world anticipate breaches of data privacy and ethics impacting negatively on stakeholder trust. The GDPR becomes law across the EU from the 25th of May 2018, and PwC analysts therefore concluded by urging companies to put data protection top of their agendas before then. After the Europe-wide roll-out of the law, organisations that fail to comply could face penalties of up to 4% of global turnover, or €20 million depending on which is higher.

Stewart Room, PwC’s global cyber security and data protection legal services leader, commented, “It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”