Six Months of ICO fines

A well known high street supermarket received a fine from the Information Commissioner's office (ICO) yesterday. I had a look at the details and you can too. It's not a vast sum but it should be cause for embarrassment. It should also be cause for concern for anyone working there who has anything to do with data protection given the approaching changes to the ICO's powers coming next year with GDPR

There are still a lot of people who think GDPR will be the next Y2K - I've literally heard two separate groups of people say this. I think a lot of people think that the ICO is a paper tiger and if you pushed them for an example of their actions they'd at best recount TalkTalk's record £400,000 fine. I thought then it might be interesting to review all of the monetary penalties the ICO has issued since the start of this year up to yesterday. All enforcement notices can be viewed online here

ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, Introduction
The ICO has issued thirty-five fines so far this year with a total value of £2,457,500. These include one £400,000 fine (matching the record set by TalkTalk), two fines of £200,000 and seven fines greater than £100,000. If we consider this is week twenty-four (epoch) then that's ~1.45 fines / week so far this year.

ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, by Sector
The ICO enforcement notifications include a Sector category. Compiled, the totals by Sector are as follows:
ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, by Offence
The ICO enforcement notifications include details around the offence. Compiled, the totals by offence are as follows:

ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, by Date

Plotted by their date and fine value, the ICO enforcement actions look like this:

Summary
Hopefully this simplistic analysis highlights that the ICO is an active authority and that they can and will fine organisations who fail to protect personal information or abuse the rights of individuals they hold information about. 

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Splunk Security Cheat Sheet

Developing Leeds Scene