The enforcement activities of the Information Commissioner’s Office (ICO) have increased over the past three years, with a marked shift away from headline grabbing financial penalties in favour of more subtle and sophisticated enforcement tools.
According to PwC’s new Privacy and Security Enforcement Tracker, the number of enforcement notices (which give orders to business to take remedial action) have quadrupled in the last two years alone.
Meanwhile, the number of businesses criminally prosecuted has risen significantly, from seven in 2013 to 18 in 2014.
The most frequently used tool of enforcement was ‘Written undertakings’, through which businesses promise to change their ways.
While the number of financial penalties issued fell from 18 in 2013 to just 11 in 2014, the average value of these penalties increased by 24% (from £84,000 to £104,000).
The shift away from the use of fines and the preference for enforcement notices and undertakings will deliver greater benefits for consumers because businesses are focused on taking constructive steps to protect personal information and privacy. They also present a more perilous environment for companies, though, as the cost of remedial actions will often exceed the maximum fine that the ICO can levy.
Security breaches and marketing offences
The main reason for enforcement action in the UK continues to be security breaches, but marketing offences are also becoming more prevalent.
In one case, a music festival organiser was fined £70,000 for sending over 70,000 unsolicited marketing text messages. This significant fine suggests a move towards a much stronger enforcement environment for activities connected with the monetisation of the customer.
Businesses are warned that data analytics about consumer behaviours and consumer profiling are likely to occupy more of the ICO’s attention if these activities are profit making.
Stewart Room, partner at PwC Legal and author of the PwC report, told Risk UK: “If you’re a regulated entity, you cannot afford not to track and react to developments in enforcement cases. If you don’t understand what’s happening on the ground you will fail to adjust your business operations to take account of current and emerging regulatory priorities. You will then be exposed to enforcement action which can lead to massive business disruption.”
Room went on to state: “Regulators are acquiring expertise, knowledge and insight to match any business. Indeed, what we are witnessing is the emergence of what will be one of the toughest regulatory environments for business. New EU data protection legislation, to be adopted in the next 12 months and fully implemented by 2018, will bring tougher sanctions that aim to make the ICO and its EU counterparts some of the most powerful business regulators in existence.”
By way of a warning, Room concluded: “Offending companies could soon be forced to hand over up to 5% of their annual worldwide turnover to regulators who are now becoming increasingly savvy in the way they perform their activities.”
*PwC’s 2014 Enforcement Tracker reviews all of the ICO’s data protection enforcement cases for the past 12 months. The Tracker also incorporates insights from Belgium, France, Germany, Italy, Lithuania, Mexico, Poland, Russia, Spain, Sweden and Switzerland as well as highlighting the top ten themes that appeared in EU regulatory guidance last year