Record data protection fines ahead of GDPR

By Sam Thomas | 24th May 2018 | 9 min read

There’s been a lot of talk about the impact of GDPR over the past few months, but it can still feel somewhat ill-defined.  

With the ICO guidelines open to interpretation as to what “legitimate interest” is and what actually constitutes an “opt in”, it can be tempting to simply shrug the GDPR deadline off and wait for further instructions.

Recent analysis from the Information Commissioner’s Office shows that this simply isn’t an option, however, as data protection fines issued to UK businesses reached a record £4.2 million last year – and under the GDPR this number is only going to get higher.

An increase in action

Over the last 12 months, the Information Commissioner’s Office (ICO) issued 54 financial penalties to UK businesses for not adhering to the existing Data Protection Act (1998).

PricewaterhouseCoopers (PwC) reported that the number of actions (including penalties, prosecutions and enforcement notices) has steadily increased over the past 4 years. They report that 91 enforcement actions were taken for data braches in the last year, with the 54 penalties issued totalling £4,207,500 – almost £1 million higher than the previous year.

There’s a risk of heavier fines due under GDPR

Currently, the ICO can only issues fines up to £500,000 and, over the last year, only 14 of the fines issued by the ICO reached more than £100,000.

Under the GDPR, similar breaches could now see business pay up to €20 million (£17.5 million) or 4% of their annual turnover global turnover if that proves to be higher.

This is easily enough to wipe out the average SME, and cause significant damage to even the most comfortable of enterprise-level businesses.

It’s worth pointing out that ICO have gone on record saying that they aren’t prioritising fines under the GDPR. In their myth buster, they’ve said that the priority is “putting the consumer and citizen first”.

The ICO’s aim is to advise and educate businesses to help them stay compliant with data protection laws, so if you’re unsure of any of the points, get in touch with them and they’ll help you. After all, failure to handle personal data responsibly will not only put your customers at risk but it will also serve to damage your business’s reputation.

Overview of the GDPR

The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 on 25 May 2018. As with the Data Protection Act, the GDPR applies to both data “controllers” and data “processors”.

If you’re a data controller, you say how and why personal data is processed, and if you’re a data processor then you act on the controller’s behalf.

The GDPR intends to give individuals more control over their personal data, and to ensure that business across the EU (including the UK, even after Brexit) handle personal data in the same. Global businesses dealing with the EU are expected to follow the GDPR, and as a result a number of international businesses are adopting the GDPR into their own system for the sake of simplicity.

For more information on the GDPR, please visit our GDPR hub or the ICO website.

How are we preparing?

At IRIS, we’ve been preparing for the GDPR since June 2016.

Since then, our Group Data Protection Officer has led us through a huge internal project that has included risk assessments for each product and service we offer, and has seen us refine our internal processes to ensure we’re compliant at organisational, divisional and departmental level. 

You can read the full details of this project here, but for an overview, we can guarantee that:

  • An outcome of our data protection review is the corporate framework necessary to demonstrate to customers and prospective customers that we manage personal data responsibly and within a culture of privacy.  
  • We will ensure we continue to manage personal data in compliance with data protection laws applicable to data processors by keeping our processing activities under review. 
  • We endeavour to make our products suitable for our customers to achieve data protection compliance so that our customers have what they need by the time the new laws come into force.
  • Any essential improvements we identify from our product gap analyses and risk assessments will be implemented within our products and services promptly.
  • We have in place a critical incident reporting procedure to ensure that any breaches, if they were to occur, are assessed and notified to customers without undue delay to allow customers to meet the reporting timescales in the new law.

If you require any further information on the IRIS Group’s activity regarding GDPR, please use the below links:


We’re here to point you in the direction, but the information we provide is for general guidance purposes only. It isn’t intended to be legal advice, and shouldn’t be taken as such.