The Information Commissioner’s Office (ICO) is still struggling to collect monetary penalties from many of the organizations it has fined for privacy and data protection breaches over the past few years, according to newly revealed data.
SMS API provider, The SMS Works, submitted Freedom of Information (FOI) requests to the UK’s data protection watchdog and now has a complete breakdown of paid and unpaid fines since 2015.
Since then, the ICO has fined 152 organizations a total of £16.6 million for mainly data breaches, spam and nuisance calls. Some 30% are still unpaid, which amounts to over £7 million, or 42% of the total.
All penalties raised were for incidents that took place before GDPR came into force, so the maximum possible fine was £500,000, The SMS Works director, Henry Cazalet, confirmed to Infosecurity. The recent multi million-pound BA and Marriott fines are still under appeal and so aren’t included in this research.
The prime offenders for non-payment are in the claims management sector — companies responsible for tens of millions of nuisance calls over the years. So far, 84% of fines have been left unpaid in this sector, often because the companies involved go bankrupt to avoid payment.
In fact, by category, the ICO has only collected 23% of nuisance calls fines, versus 64% of email spam fines and 74% for SMS spam. When it comes to data breaches, 85% of fines have been paid.
In contrast to the claims management industry, charities and public sector organizations have paid 100% of the fines levied against them.
Fortunately, changes to the law will hopefully make it harder for company directors to escape accountability for their wrongdoing in the future.
“We actively exercise our rights as a creditor to appoint professional insolvency practitioners, and work closely with the Insolvency Service in these cases, to not only seek to recover the money owed to the taxpayer but also to support action to disqualify the worst offenders from running companies in the future,” noted an ICO statement in response to the report.
“Some nuisance call directors liquidate their firms to avoid paying fines from the ICO. In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”