The Only Way Is Up – Fining Powers on the Increase for Data Protection Breaches

Julianna Tolan
Julianna Tolan

Last year saw the Information Commissioner’s Office impose record fines for data protection breaches, totalling £2,155,500.

TalkTalk was on the receiving end of the greatest financial penalty in ICO history for a highly publicised cyber-attack that claimed more than 150,000 of its customers’ personal details. The regulator considered these security failings sufficiently grave to issue the telecoms company with a £400,000 fine, close to its maximum fining powers of £500,000.

Other recipients of financial penalties from the ICO in 2016 included EE Limited, Hampshire County Council and David Lammy MP. In the latter case, Mr Lammy was accused of instigating 35,629 calls over two days, playing a recorded message that urged people to back his campaign to be named the Labour party candidate for London Mayor. This conduct resulted in a £5,000 fine for nuisance calls.

Of course, the ICO has a host of other enforcement tools at its disposal, such as issuing undertakings, serving enforcement notices and in the most serious cases, commencing a criminal prosecution against individuals or companies who contravene the Data Protection Act.

But for bottom-line conscious business, monetary penalties have historically been an effective means of compelling compliance with good business practice.

That ought to be the case now more than ever, as the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which will radically increase the maximum fines that can be imposed on UK businesses from £500,000 to an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

These previously unprecedented fining powers mean that for many companies, the outcome of a serious data protection breach could conceivably result in insolvency or even closure of the business.

Given the profound detriment that data losses have been shown to cause to consumers over the past 12 months, it is perhaps timely that the ICO is finally catching up with other UK regulators. Enforcement authorities in the fields of health and safety, competition and environmental protection have long possessed the power to impose exorbitant fines capable of closing errant businesses down.

With the GDPR on the horizon, businesses should now seize the opportunity to monitor and review their compliance with data protection laws, including the effectiveness of internal policies and procedures. After all, the consequences of failing to do so could be costly.

Julianna Tolan is an Employed Barrister in the Dispute Resolution team at Fox Williams LLP acting for commercial and financial services clients in respect of contentious and non-contentious regulatory issues. Julianna can be contacted at

A New European Cyber Security Strategy – Part I

Julianna Tolan
Julianna Tolan

The Threat

Globalisation and advances in on-line commerce have been key to the success of many European businesses. The growth of the internet has enabled the UK in particular to tap into markets that were previously inaccessible, as a global leader in e-commerce. But as well as bringing new opportunities, this reliance on cyberspace also presents new challenges and risks.

The prospect of cyber-attacks on businesses in the UK has never been more potent. Based on the 2015 Information Security Breaches Survey Report by the Department for Department for Business, Innovation and Skills, 90% of large corporations and 74% of small businesses reported a cyber-breach in 2015. It has been estimated that the cost for the worst cyber-security breach estimated between £1.5m to £3.14m for large businesses and £75k to £310k for smaller ones.

Alongside international terrorism, the National Security Strategy categorised cyber-attacks as a Tier One threat to our national security and in recent months George Osborne raised the prospect that terror groups may launch deadly cyber-attacks on Europe.

A New Way Forward

Historically, the approach to cyber security amongst member states has varied considerably, with a patchwork of different legislative regimes. Those states with insufficient security measures diminished the EU’s overall protection and exposed it to attack.

Prompted by mounting concerns about online security issues, in July 2012 the European Commission launched a public consultation on a new strategy for network and information security. The results of this consultation were that 57% of respondents had experienced security problems in the previous year that had seriously impacted upon their activities.

As a result of these findings, on 7 February 2013 the Commission published a proposed new directive on cyber security, which would harmonise the way member states addressed information and network security. Alongside this directive, the European Commission published a Joint Communication setting out an EU cyber security strategy.

It was hoped that these measures would close any existing loopholes in the existing legislative framework of EU countries. At the same time, it demonstrates the Commission’s commitment to the issue of cyber security, both for its citizens and for businesses within and outside of the EU.

On 7 December 2015, negotiators of the European Parliament, the Council and the Commission  agreed on the first EU-wide legislation on cybersecurity. The text will now be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.

In A New European Cyber Security Strategy – Part II, we will outline the key  provisions of this historic cyber-security legislation.