Before the introduction of the GDPR, the ICO could issue fines capped at £500k. The limitation on the fine amount meant that large global organisations were unlikely to feel the impact of the penalty. The ICO now has the power to issue companies a fine equaling 4% of their annual turnover.
Over the years, the ICO has handed out some of the biggest penalties for data breaches where companies have failed to protect customer data. From 2020 to 2021, the ICO issued a record amount of £42m in fines issued, which is a 1580% increase from the previous year.
Top ICO fines issued
- British Airways - £20m fine (2020)
- Marriott Hotels - £18.4m fine (2020)
- Clearview AI - £7.5m fine (2022)
- Ticketmaster - £1.25m fine (2018)
- Cabinet Office - £500k fine (2021)
- Doorstep Dispensaree Ltd. (Pharmacy) - £275k fine (2019)
These fines can devastate organisations on the receiving end, ensuring the consequences of lax data protection practices are felt. We explain why these penalties are issued so that your organisation can avoid being in the same boat.
The biggest ICO fines in detail
1. British Airways - £20m (2020)
GDPR breaches - Article 5(1), 32
The ICO fined British Airways £20m after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing significant personal data without adequate security measures. This failure broke data protection law, and, subsequently, BA was the subject of a cyber-attack in 2018, which it did not detect for more than two months.
The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. The usernames and passwords of BA employee and administrator accounts and usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
British Airways had been fined an eye-watering £183m for its GDPR failings last July. However, this was reduced to £20m due to the economic impact of COVID-19.
2. Marriott International - £18.4m (2020)
GDPR breach - Article 32
Marriott International Inc failed to keep millions of customers' personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott had acquired the company.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.
3. Clearview AI - £7.5m (2022)
GDPR breaches - Art. 5 (1) a), e), Art. 6, Art. 9, Art. 14 GDPR, Art. 15, Art. 16, Art. 17, Art. 21, Art. 22, Art. 35
The ICO found Clearview AI Inc. breached UK data protection law. The company has been issued a fine of £7.5m and told to delete the data of UK residents. The ICO came to its decision after identifying that Clearview AI Inc. failed to have a lawful reason to collect personal data.
The unlawful data collection was one of the many breaches of UK data protection law. Clearview AI Inc. had collected over 20 billion images of people's faces to create an online database. The company did not inform these people that their images were being collected and used this way.
4. Ticketmaster - £1.25m (2018)
GDPR breaches - Art. 5 (1) f), Art. 32
The ICO has fined Ticketmaster UK Limited an amount of £1.25m for failing to protect its customers' personal data. The ICO found that the company did not implement appropriate security measures upon investigation. This failure resulted in a cyber-attack on a chatbot installed on Ticketmaster's online payments page.
The data breach affected 9.4m customers and involved information on customer names, payment card numbers and CVV numbers. Despite numerous warnings about fraudulent activity, the ticket retailer only identified and addressed the problem nine weeks later.
The ICO also ruled that the company has failed to accurately assess the risk of using a chatbot on their payments page. The penalty issued relates to the breach from May 2018, when the new rules of GDPR came into effect, even though the breach began in February of that year.
5. Cabinet Office - £500k (2021)
GDPR breaches - Art. 5 (1) f), Art. 32
Cabinet Office was fined £500k for failing to have technical and organisational measures to prevent breaches of data protection law. Following the New Year honours award at the end of 2019, the department published the personal details of those recognised by the Queen on the gov.uk website.
The failure of the Cabinet Office to mitigate the risk of a data breach exposed hundreds of people to the risk of identity fraud. Investigation into the Cabinet Office found "pockets of best practice" undermined by "concerning lapses" in behaviour and processes.
6. Doorstep Dispensaree Ltd. (Pharmacy) - £275k (2019)
The ICO fined Doorstep Dispensaree Ltd. (Pharmacy) for failing to ensure the security of special category data. Doorstep Dispensaree had left around 500k documents containing the personal information of an unknown number of people in unlocked containers.
In addition, the company had failed to process these documents to ensure appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage. As a result, the documents were also water damaged.
Want to learn more about GDPR?
To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.
We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!