Since August 2015, the Information Commissioners’ Office (ICO) has fined 104 organisations a total of £8.7 million for breaches in data security and of anti-spam regulations. The organisation has the power to fine companies up to £500,000 for breaking the rules and is now increasingly active in its efforts to cut offences.
Last year alone witnessed an annual increase in fines of nearly 69%, from £2.9 to £4.9 million. When the EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May, the ICO’s powers will increase still further, with the maximum possible fine rising to 20 million Euros or 4% of global turnover, whichever amount is the greater.
While the average fine for SMS spam is a hefty £108,000, e-mail spammers have been treated far more leniently, with the average fine for e-mail breaches standing at a more modest £40,000.
Overall, e-mail offenders are also being punished far less frequently, with just seven fines being issued since August 2015, representing 6.7% of all fines. e-mail spam fines total just £241,250 compared to the SMS spam total which stands at £1,539,500.
SMS spam fines are also more common, with 23 companies having been fined, making up 22% of all fines.
This difference in the penalty figures may be partly due to the fact that SMS spam is far more intrusive than e-mail spam and more likely to result in a consumer complaint. Junk mail has been part of our lives for so long now that we’ve become conditioned to it and have put in place filters and folders to keep it at bay.
Nearly 50% of all fines for nuisance calls
An in-depth analysis of ICO fines, compiled by The SMS Works, has revealed that nuisance phones calls attracted 33 separate fines, accounting for 46% (£4,017,000) of all fines handed out since August 2015.
Millions of consumers have been pestered by calls at their home, largely due to automated dialling platforms that allow companies to intrude on people’s lives without human intervention.
One of many notable nuisance call fines was handed out to Keurboom Communications in May last year. The business was fined £400,000 for making an astonishing 99.5 million phone calls to people at home.
Commenting on the case, Steve Eckersley (head of enforcement at the ICO) stated: “These calls have now stopped, but our work hasn’t. We will continue to track down those companies that blight people’s lives with nuisance calls, texts and e-mails.”
Data breaches attract highest number of fines
According to The SMS Works’ study, 41 companies and organisations have been fined for data breaches since August 2015. This accounted for 34% (£2,996,501) of all fines.
Telecoms giants in particular have been found to have inadequate data security measures in place. As well as the recently reported £400,000 fine handed down to Carphone Warehouse, TalkTalk was also found to have been open to cyber attack.
In October 2016, the company was presented with a £400,000 fine for security failings that allowed cyber criminals to download the personal details of 155959 customers and the bank details of 15656.
Elizabeth Denham, the Information Commissioner, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate its systems with ease.”
Financial services incur largest number of fines
23% of all fines were dispatched to the financial services sector. This is more than double the number of the second most fined sector.
Surprisingly, charities were second in the ‘Hall of Shame’, attracting 10.5% of fines. Here, fines were mainly for data breaches where the organisations involved had been sharing donor data with other organisations, but without the correct consent having been obtained.
The practice of ‘data enriching’, whereby donors can be profiled more accurately by combining information from multiple sources, is likely to become more problematic when the GDPR comes into effect.
Bright outlook for consumers, bleak times for data breachers
Companies presently thinking of breaking the rules will find little room for manoeuvre in a post-GDPR world.
“The fines data that we’ve outlined should act as a wake-up call to all companies and organisations that process and handle consumer data,” urged Henry Cazalet, founder and director of The SMS Works, in conversation with Risk UK. “The clock is most certainly ticking and those companies that haven’t already done so need to urgently address data security before May’s deadline.”
The risks for marketers strongly outweigh any perceived reward. Ignorance of the rules will be no defence. It’s the responsibility of organisations of all sizes to make sure that all of their activities are compliant with the new regulations ahead of 25 May.
Cazalet concluded: “All of this might mean that we’re on the brink of a new spam-free era, wherein our personal data is secure and our junk folders oddly empty.”