UK organisations were fined more than £6.5m for breaching data protection laws in 2018, over £2m more than the previous year, although tighter rules and controls under General Data Protection Regulation (GDPR) have not yet resulted in major fines
The PwC research analysed the UK Information Commissioner’s Officer (ICO) data protection enforcement actions, looking at monetary penalties, enforcement notices, prosecutions and undertakings.
The data showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.
Half of all infringements related to marketing activities, and telephone calls accounted for 64% of marketing infringements. A quarter (25%) of enforcement actions relate to personal data security breaches.
While private sector companies accounted for 86% of the enforcements, PwC says scrutiny remains on public sector organisations given the sensitive nature of the data they handle.
Stewart Room, lead partner for GDPR and data protection at PwC, said: ‘2018 was a transitional year for data protection in the UK, with the introduction of the GDPR in May, but the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.
‘The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way.
‘As well as looking at how to improve their levels of legal compliance, organisations need to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.’