More than 2.8 million pounds uncollected in annual fines by ICO
ICO and fines
Britain’s personal data watchdog has failed to collect millions in fines for breaches of the Data Protection Act (DPA).
The Information Commissioners Officer (ICO) is responsible for enforcing the DPA and new GDPR regulations, which come into force today (25 May 2018). Figures obtained through Freedom of Information requests by me show:
The total sum of fines issued under the Data Protection Act 1998 (DPA) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) for each of the last three financial years is:
2015-16 – £2,529,250
2017-18 – £4,809,700
But how much of this was actually received?
2015-16 – £748,100
2016-17 – £1,938,600
2017-18 – £1,923,655
So, in the most recent year, for example the ICO has failed to collect more than 60% of the fines it has imposed, for a total of more than 2.8 million pounds.
Whilst the total of fines has been increasing, the collection rate has been decreasing. The ICO is keen to point out that there are several factors that have an impact on the difference between the total amount fined and the total amount paid for each financial year.
GDPR means more cash for the ICO
According to the law, companies and other organisations must register with the ICO and pay an annual fee for the privilege. I uncovered how the ICO will benefit financially from the new GDPR rules. Last year (2017/18) £21,299,976 was raised in data protection fees income. The projected data protection fee income for this year (i.e. financial year 2018/19) is £32,341,250. This represents an uplift of £11,041,274.
74% of the ICO’s income will be spent on salaries, that’s a massive £24,983,045 for around 400 staff!
I contacted the 31 other countries bound by the EU law regarding the data protection registration and asked them if they charged a fee. 15 responded to say that they did not.
Support for businesses from the ICO lacking
Although generally good news for consumers (Ten ways GDPR will help consumers) the ICO faces widespread criticism of its handling of the new GDPR legislation. Despite the massive hike in projected income and increase in staff, big business and sole traders alike are frustrated by the lack of support and consistent advice on the new data privacy law.
We are all seeing an increase of emails requesting consent to keep recipients on their mailing list which are unnecessary where they already have our permission. Laura Light, blogger at savings4savvymums is one of many sole traders who is frustrated by all the conflicting advice. “I was on the phone last week asking about opt-ins to then be told by a different advisor the info I was told was wrong! They need to get their facts straight and stick to them. How on earth can anyone be expected to get it right when the ICO doesn’t even know what’s right?”
Naomi Willis was left on hold for 1 hour 4o minutes before being cut off and then again for nearly two hours when she rung the ICO. To say nothing of the ICO website being down for most of the day yesterday!
Why is a registration fee for data protection needed?
Naomi from Skint Dad, a small business, questions the need for a fee: “The whole idea of GDPR is that everyone should be doing it. I don’t therefore understand why most need to pay a fee to the ICO. Having a fee is just putting people off from following the new legislation. It’s not like the money has gone on any support!”
And as mentioned above – other countries undertaking the same work are not charging. Why?
Jumping on the GDPR bandwagon
GDPR causing unnecessary costs for small organisations
The cost of GDPR is hitting business across the board, especially in the not-for-profit sector. Already strapped for cash schools and local authorities must spend thousands of pounds on privacy staff and external advice but are not being given any extra funding to do so.
ICO and protection irony
ICO is making sole traders postal addresses public! For most sole traders this is their home address making them vulnerable to a number of issues. The ICO does not have to make these home addresses public. But, the ICO said ““Even though it is no longer a legal requirement under the GDPR, the ICO will continue to publish a register of data controllers because we recognise there is a public interest in transparency and accessibility. It is important that data subjects have a clear way to contact data controllers and to exercise their legal rights. Being a data controller represents responsibilities, one of which is to be easily accessible to data subjects. We will be publishing the postal addresses of data controllers, including sole traders. We will not be asking for consent to do so but we will be advising them that they can provide a PO Box address instead if they wish to do so.”
ICO and glass houses..
I think Naomi sums it up perfectly. “Information we need to provide must be “concise, transparent, intelligible and easily accessible” but the ICO seem to be having a hard job of doing this themselves! What I’ve seen from them is long winded, full of holes, late and the information on their site goes around in circles, let alone having a chance to speak to a human for support!”
Time perhaps for the ICO to get its own house in order before it starts looking at fining businesses?
 A spokesperson for the ICO said that “If the Commissioner receives full payment of the monetary penalty within 28 calendar days of the notice being sent, the Commissioner will reduce the monetary penalty by 20%. Secondly, ongoing or successful appeals against a CMP will delay, or negate, the amount of CMP to be paid. In some cases, appeals to the FTT can lead to the reduction in the amount organisations are required to repay. In addition, each monetary penalty notice issued will define a timeframe in which the CMP should be paid, which will be a period of at least 28 calendar days beginning the first day after the monetary penalty notice has been served. Therefore, in more recent cases, although a monetary penalty notice has been issued, payment may not yet have been made.”