And that’s without GDPR

It’s been an “unprecedented” year for data protection as breaches made almost-weekly media headlines, making citizens more aware of their online information rights.

That’s, at least, according to the annual report by the UK Information Commissioner’s Office (ICO), which found that data protection complaints increased from 21,019 to 41,661 in one year alone.

The ICO, the body responsible for enforcing privacy law such as the famed General Data Protection (GDPR) legislation, said that it had issued £3 million ($2.7 million) in fines over the annual period.

Fines were allocated under the preceding Data Protection Act (1998), the ICO said, as GDPR only came into effect in May of last year.

In total, 22 organizations were issued fees under the DPA – it is not known how many monetary penalties were paid, as many of the investigations are still ongoing.

Companies are typically financially disciplined when they fail to demonstrate significant efforts made in protecting consumer information, both before and after a breach – only 1% of cases result in fines.

Most notably this year, the ICO issued Facebook with a whopping £500,000 ($626,900) over its Cambridge Analytica data scandal, in which the tech giant is accused of misleading 87 million of its users.

This has been the ICO’s largest fine to date, though large sums were also handed out to Equifax ($626,900) and Uber ($345,900) last year.

Fines under GDPR can cost companies €10 million ($11.3 million) or 4% of annual turnover.

The ICO closed 34,684 complaints in 2018-19, compared to 21,364 in the previous year, which covered multiple data protection laws including Freedom of Information requests.

Approximately 2,500 cybersecurity incidents were reported that year, the most common of attacks being phishing (44%), followed by unauthorized access (29%).

On releasing the report this week, Information Commissioner Elizabeth Denham commented:

“The ICO has covered an enormous amount of ground over the last year – from the introduction of a new data protection law, to our calls to change the Freedom of Information law, from record-setting fines to a record number of people raising data protection concerns.

“The biggest moment of the year was the General Data Protection Regulation (GDPR) coming into force. This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected. The doubling of concerns raised with our office reflects that.”

GDPR may have indeed improved information rights, with 33% of data protection officers telling the ICO that that they had seen an uptake in consumers exercising their digital rights since it was introduced on May 25, 2018.


RELATED GDPR: Have greater fines forced organizations to take data security seriously?