Site navigation

ICO Issues Record Fines in 2020/21

David Paul


ICO fines
The numbers come as no surprise after a series of high-profile fines over the last two years.

The Information Commissioners Office (ICO) smacked firms with a record number of fines over over 2020 and into 2021.

ICO fines issued the last two years were the highest on record at £42m – an increase of 1,580% from the £2.5m in fines issued the previous year, according to law firm RPC.

The rise is driven by news of a £20m fine issued to British Airways after a major data breach in 2018. It was ruled that the firm failed to protect customer data, although the fine was considerably lower than the £183 million proposed in 2019.

Marriott Hotels also faced a £18.4m fine in October last year for also failing to protect customer data, with both breaches compromising millions of customers’ personal information.

The maximum fine the ICO can issue sits at £17.5 million, or 4% of a company’s total worldwide annual turnover, whichever is higher. However, in the cases of British Airways and Marriott, the total was far higher.

Commenting on the statistics, Richard Breavington, Partner at RPC said: “Clearly the ICO will impose blockbuster fines when it wants large organisations to sit up and take notice. However, overall, the ICO has been very fair in terms of the levels of fines it has set.

“The overall number of fines arising from cyber breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks. At the outset of the GDPR regime there was the concern that the ICO would be making full use of its powers to fine but so far it seems to only be fining as a last resort.

“The two large fines could have been ever higher, but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.”


As well as enforcement action against companies that fail to take adequate measures to prevent data breaches, the regulator has also penalised businesses that engage in nuisance marketing tactics.

The research shows there was a fourfold increase in the number of fines related to nuisance messaging and cold calling, compared to the previous year. The ICO has also levied penalties to firms that sent out “unwanted marketing emails” and cold called customers.

Breavington added: “As organised cyber gangs seem to be acting with ever more sophistication, corporates should plan on the basis that they will suffer a successful breach of their systems at some stage.

“A measure of success will be how well their sensitive customer data is protected in that breach. Will they be able to limit the amount of data taken from their system and how effectively will they respond to the breach when they discover it?”

David Paul

Staff Writer, DIGIT

Latest News

%d bloggers like this: