When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise to understand which areas organisations are falling foul of in terms of noncompliance. As such, URM has carried out a review and analysis of the fines imposed in 2022 by the Information Commissioner’s Office (ICO), the UK’s privacy regulator, as well as looking to see if there were any discernible differences from 2021.
Number of Fines and Sector Focus
In 2022, the ICO imposed a total of 34 monetary penalties across 33 cases. The breakdown of fines being imposed on private and public sector organisations is shown in the following pie chart:
One immediate ‘headline’ to note is that only one of the 33 organisations fined during 2022 operates in the public sector. Maybe we shouldn’t be too surprised given the announcement from the Information Commissioner, John Edwards, in the Summer of 2022 that the ICO would be rethinking its approach to data protection enforcement against public bodies. The Commissioner announced there would be a move away from fining public sector organisations that do not use ‘their own money’, but rather taxpayers’ money, to pay fines. It was judged that more practical and effective sanctions or deterrents would include issuing reprimands and ‘naming and shaming’. It will certainly be interesting to see if the proportion of public institutions receiving fines from the ICO remains low in 2023. With the sole fine that was imposed against a public sector body in 2022 (Tavistock & Portman NHS Foundation Trust), it is notable that the ICO reduced the penalty fine imposed on the Trust from £784,800 to £78,400.
In terms of comparison with 2021, the number of fines were remarkably similar with 36 fines of which 35 were in the private sector and, again, just one public sector body being fined.
Reasons for Fines Being Imposed
OK, let’s look at the reasons why fines were imposed by the ICO in 2022. The following table summarises what breaches occurred for the fine to be imposed.
This shows (perhaps surprisingly) that the majority of the ICO’s fines was directed not at infringements of the GDPR/UK GDPR, but at breaches of the Privacy and Electronic Communications Regulations (‘PECR’). Furthermore, there is no indication at present from the ICO that there will be any change of focus in its monetary enforcement efforts between PECR and UK GDPR during 2023. In terms of comparison with 2021, of the 36 fines imposed, 33 related to PECR infringements and 3 related to GDPR infringements.
As such, the proportion of GDPR breaches fined, as a percentage of the total number of contraventions penalised, has gone up over this period – from 8.33% in 2021 to nearly 15% in 2022. It will be interesting to see if this shift in the ICO’s focus on GDPR infractions continues in the coming year.
Nature of 2022 GDPR-related Fines
One of the 5 GDPR fines in 2022 was imposed for unlawful processing which straddled Brexit day (31 December 2020), hence the fine was imposed under both the pre-Brexit GDPR and the post-Brexit UK GDPR. The other 4 fines related to pre-Brexit processing in 2018, 2019 and 2020 and were issued as part of the ICO’s old powers under the original GDPR. As time passes, the proportion of cases the ICO investigates which involve pre-Brexit processing will inevitably decline. As such, many (if not the majority) of the GDPR fines imposed in 2023 will likely be for breaches of the UK GDPR only. The UK GDPR is, currently, nearly identical to the original GDPR (now known in the UK as the ‘EU GDPR’).
Level of Fines
The 34 fines imposed by the ICO in 2022 ranged from £2,000 to several million pounds. Most (21) fines were £100K or under. In total, the 34 fines brought in over £16m to the Treasury although, as the ICO has been at pains to stress, revenue generation is not the point of the exercise! (As an aside though, in June of 2022, the ICO came to an agreement with the Government that allows the regulator to keep some of the money from fines, up to £7.5m per financial year, to offset against its litigation costs.)
GDPR Breaches Receive Biggest Fines
The largest fine levied by the ICO in the year was a £7,552,800 (9 million euros) penalty handed out to the American company, Clearview AI Inc. in May 2022 for its breaches of multiple articles of the GDPR and UK GDPR. The breaches related to its enormous unlawful ‘data scraping’ activities, i.e., where a computer programme extracts data from human-readable output sourced from another programme. The second biggest fine (£4.4m) was imposed on Interserve Group Limited in October 2022 for data security contraventions that resulted in a cyberattack which compromised the personal data of up to 113,000 of its employees. The third highest fine (£1.35m) was imposed on Easylife Limited for unauthorised profiling using individuals’ medical purchase history data without their consent. It is noteworthy that although penalties for GDPR infringements comprised the minority (5 out of 34) of the fines, the three most severe fines all related to GDPR breaches.
Areas of the GDPR Being Breached in 2022
The breakdown of the actual provisions of the GDPR/UK GDPR infringed in the relevant 5 cases is as follows:
Because it was so egregious in nature, and has been appealed against, it is difficult to extrapolate too much from the Clearview breach. However, there are some common factors among 3 of the other GDPR cases which resulted in fines, namely, data security failures (non-compliances with Principle 6 and/or Article 32) resulting in:
- Misdirected emails, which caused serious personal data breaches, leading to harm to the data subjects
- Major financial loss and reputational damage to the responsible organisations.
If you would like to understand how compliant your organisation is with the GDPR, please complete the form below and URM can organise a high level gap analysis.
Do you need assistance in improving your GDPR compliance position?
On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.
A DPIA delivers a pre-emptive approach to assessing these risks, and can prevent a data breach occurring. We present an outline of steps in conducting a DPIA