Penalties for privacy regulation breaches from 2020-21 total more than £2.2m

The Information Commissioner’s Office (ICO) issued £2.2 million in fines for privacy regulation breaches in 2020-21, whilst also pushing to improve regulations for businesses with a number of new initiatives.

The data, analysed by the Parliament Street think tank, was uncovered in the Government’s recently published Better Regulation Annual Report 2020-21 which detailed the fines and penalties for the reporting period alongside actions taken to assist businesses.

The Information Commissioner’s Office fines totalled £2.2 million for various breaches, the largest of which being £2.1 million of penalties for privacy and electronic communications breaches.

The ICO issued £98,800 worth of fines to non-public sector organisations for not registering with the ICO and a further £25,000 for “other” data protection breaches.

In alignment with better regulation, the ICO handles individual complaints, reporting 37,000 complaints about data protection issues during 2020-21, with over a third concerning businesses and over 9,500 relating to personal data breaches.

The Information Commissioner’s Office has also taken action to assist and improve regulation amongst businesses.

Amongst its initiatives, the ICO has developed a Small and Medium-sized Enterprises (SME) web hub to make it easier to act upon data protection advice. By the end of September 2021, the ICO had responded to 390,000 organisations with the majority being SMEs.

They also published a Data Sharing Code, supporting digital innovation across businesses by providing practical advice on how to share data responsibility.

The Department for Business, Energy and Industrial Strategy stated that the Government “will strive to achieve the right regulatory balance between supporting excellent business practice and protecting workers, consumers and the environment.”

Charlie Smith, Consulting Solutions Engineer at Barracuda Networks, said: “Proactive data protection and governance is key for organisations and businesses, from well-tested backup and recovery procedures including data retention policies, through to email archiving and data security.

“Seeing regulations being enforced is always welcome as it serves as encouragement for businesses to follow guidelines and best practice. With ransomware still booming as one of the top threats targeting businesses, data backup solutions and cloud security should be treated as a top priority so that, at the very least, businesses don’t find themselves on the wrong side of the regulator and facing a hefty fine.”

James Alliband, Senior Manager of Product Strategy at Tessian, said: “In the four years since GDPR came into effect, people are handling more data than ever before and are more reliant on electronic communications to stay connected to their colleagues while working remotely. But mistakes happen – and these mistakes can quickly compromise data security and result in costly regulation breaches, as shown in this report.

“Humans are the first line of defence, and businesses need to provide more education on how to comply with strict data protection regulations to help avoid facing the millions of pounds worth of regulatory fines. Training alone, though, is not enough. Businesses also need to address how their employees’ actions could result in serious breaches and adopt measures that can actually prevent security incidents caused by human error in the first place.

“It’s also important for businesses to consider how best to empower the security operation centre with greater visibility and context of remote workers to help stop data breaches.”