- Data basics
Where does the money from ICO fines go?
- 2 minutes
- By eleanor blackwood
It's a lot of money.
What is the Information Commissioner's Office (ICO)?
The Information Commissioner's Office (ICO) is the UK's independent regulatory office in charge of upholding information rights, in the interest of the public.
⚠️ Personal data = any information that can be used to directly or indirectly identify you. Think your postal address, ID or political beliefs.
What do they fine companies for?
British law states that anyone who handles personal data, like companies, must do so according to certain rules and principles. These include ensuring that personal data isn't accidentally lost or damaged, and not using more data than strictly necessary.
It's important to note that the amount demanded in fines also depends on how many people were affected and whether or not special category data was also lost.
How much can the ICO fine companies?
The fines can depend on the factors we mentioned above, but there are two tiers of penalties when it comes to the maximum that the ICO can charge.
As the ICO notes:
The standard maximum fine is 10 million euros (or equivalent in sterling), or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
It's important to bear in mind that the ICO fine amount can be added to by people pursuing private legal action against companies. A great example of this in the UK is the largely new pursuit of data breach class actions, where groups of consumers who've been negatively impacted can collectively sue companies for mishandling their personal data.
Some examples of ICO fines
Recently, the ICO has given out fines that many would view as astonishing figures. Here are some examples:
The ICO fined the airline Cathay Pacific £500,000 for failing to protect the personal data of 9.4 million global customers.
Hackers got hold of information like:
- customer names
- phone numbers
- travel history
The airline’s data protection procedures fell far short of what was required by British law at that time. Some data was stored without passwords, the airline didn’t secure their internet servers and didn’t have adequate anti-virus protection. A fine of £500,000 was the maximum fine possible as the breach took place between 2014 and 2018- before GDPR was introduced.
In 2019, the ICO fined the Marriott hotel group £99.2 million.
This is because:
- Of the 339 million guest records that were hacked, over 30 million people were related to residents of 31 countries in the European Economic Area.
- Seven million of these related to UK residents.
Marriott said it would appeal against the fine.
You may remember that in July 2019 the ICO announced it’s biggest fine for data breaches yet: £183 million.
- The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site.
- Through this false site, details of about 500,000 customers were harvested by the attackers.
Speaking about the incident, Information Commissioner Elizabeth Denham said:
'People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.'
So far, the ICO has collected over £39 million in fees and predicts that this number will continue to grow rapidly.
So, where does the ICO fine money go?
These are some staggering figures, and it causes us to wonder- where does all of this money go?
The ICO’s website is clear: after it collects money from a fine it transfers this money directly to the Government’s Treasury Consolidated Fund. While the ICO doesn’t keep the money, it can be issued some of the money back by the government in order to fund their data protection work.
Specifically, around 85%-90% of the fine money becomes the ICO’s annual budget, and the rest is separate grant-in-aid from the government to fund the ICO’s regulation of various other laws.
However, this may change. The ICO is considering changing this policy to receive more money for cases when it needs to defend its decisions in court. You can find out more about this by looking through the ICO’s annual report.
Before you go
If you're concerned about your own data, you can now easily find out where it is and tell companies what to do it through Rightly. Let us know how it goes!
GDPR: Everything you need to know
- DPO's Blog
- Data basics
GDPR stands for General Data Protection Regulation. It’s an EU (European Union) law, but it affects businesses worldwide to different extents.
- 5 minutes
24 Easy Ways to Protect Yourself Online
- Data basics
Unfortunately, because your personal data is valuable it is often at risk of being misused or hacked. ⛏️
- 3 minutes