Analysis of Fines Imposed by the Information Commissioner’s Office in 2022

When aiming for GDPR compliance, it is important to assess the areas where organisations are failing to comply with the regulations. To gain insights into this, URM has conducted a thorough review and analysis of the fines imposed by the Information Commissioner's Office (ICO) in 2022, the privacy regulator in the UK. This analysis also aims to identify any notable differences compared to the previous year, 2021.

Number of Fines and Sector Focus

In 2022, the ICO imposed a total of 34 monetary penalties across 33 cases. The distribution of fines among private and public sector organisations is illustrated in the accompanying pie chart.

An interesting observation is that out of the 33 organisations fined in 2022, only one operates in the public sector. This shouldn't come as a surprise, considering the announcement made by the Information Commissioner, John Edwards, in the Summer of 2022. The ICO expressed intentions to review its enforcement approach towards data protection in public bodies. The Commissioner stated that instead of imposing fines funded by taxpayers' money, more practical and effective sanctions would involve reprimands and 'naming and shaming'. It will be intriguing to observe if the proportion of public institutions receiving fines from the ICO remains low in 2023. Notably, the only fine imposed on a public sector body in 2022 was against Tavistock & Portman NHS Foundation Trust, and the ICO reduced the penalty from £784,800 to £78,400.

In comparison to 2021, the number of fines in 2022 remained remarkably similar, with 36 fines issued, out of which 35 were imposed on private sector organisations, and again, only one fine was levied on a public sector entity.

Reasons for Fines Being Imposed

Let's delve into the reasons behind the fines imposed by the ICO in 2022. The following table provides a summary of the breached regulations that led to the fines.

Surprisingly, the majority of the fines imposed by the ICO were related not to violations of the GDPR/UK GDPR but rather to breaches of the Privacy and Electronic Communications Regulations (PECR). Currently, there is no indication from the ICO that there will be a shift in focus in their enforcement efforts between PECR and UK GDPR in 2023. When compared to 2021, out of the 36 fines imposed, 33 were associated with PECR infringements, while only 3 were related to GDPR breaches.

Consequently, the percentage of fines for GDPR breaches, relative to the total number of penalties, increased from 8.33% in 2021 to nearly 15% in 2022. It will be intriguing to observe if this continued emphasis on GDPR infractions persists in the upcoming year.

Nature of 2022 GDPR-related Fines

Among the five GDPR fines in 2022, one was imposed for unlawful processing that occurred before and after Brexit day (December 31, 2020). Consequently, this fine was imposed under both the pre-Brexit GDPR and the post-Brexit UK GDPR. The other four fines were associated with pre-Brexit processing in 2018, 2019, and 2020, and were issued under the ICO's original powers derived from the GDPR. Over time, the proportion of cases investigated by the ICO involving pre-Brexit processing will inevitably decrease. Hence, many of the GDPR fines imposed in 2023 will likely pertain only to breaches of the UK GDPR. Currently, the UK GDPR is nearly identical to the original GDPR, known as the 'EU GDPR' in the UK.

Level of Fines

The fines imposed by the ICO in 2022 ranged from £2,000 to several million pounds, with the majority (21) being £100K or less. Collectively, these 34 fines generated over £16 million for the Treasury. However, it is important to note that revenue generation is not the primary objective of these fines, as emphasised by the ICO. Nonetheless, in June 2022, the ICO reached an agreement with the Government that allows the regulator to retain some of the fine money, up to £7.5 million per financial year, to offset litigation costs.

GDPR Breaches Receive Biggest Fines

The largest fine imposed by the ICO in 2022 amounted to £7,552,800 (9 million euros) and was levied against the American company Clearview AI Inc. This substantial penalty was due to multiple breaches of the GDPR and UK GDPR. The violations stemmed from Clearview's unlawful data scraping activities, where a computer program extracts data from another program's human-readable output. The second-largest fine (£4.4 million) was imposed on Interserve Group Limited in October 2022 for data security failures that resulted in a cyberattack compromising the personal data of up to 113,000 employees. The third highest fine (£1.35 million) was imposed on Easylife Limited for unauthorised profiling using individuals' medical purchase history data without their consent. Notably, even though GDPR infringements comprised a minority of the fines (5 out of 34), the three most significant penalties were all related to GDPR breaches.

Areas of the GDPR Being Breached in 2022

The breakdown of the specific GDPR/UK GDPR provisions breached in the relevant five cases is as follows:

The Clearview breach was particularly egregious in nature and is currently under appeal, making it challenging to draw extensive conclusions. However, three of the other GDPR cases resulting in fines had common factors, such as data security failures (non-compliance with Principle 6 and/or Article 32), leading to:

• Cyberattacks
• Misdirected emails causing significant personal data breaches and harm to data subjects
• Substantial financial losses and reputational damage to the responsible organisations.

If you are interested in assessing your organisation's GDPR compliance, please contact URM – leading GDPR consultancy services provider to arrange a high-level gap analysis.