UK data privacy fines on the rise: the most in Europe?

Breaches of UK data protection laws during 2016 attracted 35 fines totalling £3,245,500 – almost double the 2015 total (18). Now with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to ensure compliance with the General Data Protection Regulation (GDPR).

PwC analysed the UK Information Commissioner’s Office (ICO) data protection enforcement actions over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings.

>See also: What is the motivation behind data security?

Stewart Room, PwC’s global cyber security and data protection legal services leader, commented: “The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year.”

The analysis for 2016 found that that 23 enforcement notices were issued in 2016 – when organisations are required to take steps to ensure compliance after a data breach – a 155% increase on the nine notices issued in 2015.

The UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3m). But whereas the European pattern has seen comparatively low volumes of regulatory enforcement actions, with low level financial penalties, this is in stark contrast to the US where fines of approximately $250 million were served.

PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is now before GDPR becomes law from 25 May 2018 across the EU.

>See also: Data privacy and security vs personalisation

From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability, and data use consent. Organisations that fail to comply could face penalties of up to 4% of global turnover or €20m depending on which is higher.

Room concluded that it is “impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”

Figure 1 - Monetary Penalty Notices issued by the ICO: 2011-2016
Figure 1 – Monetary Penalty Notices issued by the ICO: 2011-2016


Figure 2 - Privacy Enforcement in the UK: Analysis of ICO statistics, 2012-2016
Figure 2 – Privacy Enforcement in the UK: Analysis of ICO statistics, 2012-2016


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Privacy