Average Data Breach Penalties in the UK Have Doubled in the Last 12 Months

U.K. law firm RPC published a report that says the average penalty for security failure or data breach has increased twofold to £146,000 in the past 12 months.

ICO not long ago approved the UK’s first GDPR enforcement penalty with a fine for AggregateIQ for the breach incident that resulted to the compromising of the personal data of approximately 87 million Facebook users. The penalty is still being appealed at this time.

In the report, RPC estimated that the total amount of penalties issued by the ICO in the past 12 months rose from £4 million to £4.98m – A 24% increase.

The three largest fines for data breaches in the past year are:

Carphone Warehouse: Failed to sufficiently protect consumer and personnel data resulting in a £400,000 data breach penalty.
The British and Foreign Bible Society: Failed to stop a cyber attack that exposed the personal data of 417,000 people. A fine of £100,000 was issued.
Equifax: Failed to secure the personal data of around 15 million UK residents. The highest possible penalty of £500,000 was issued.

These penalties were issued for breaches that transpired before May 25 when the EU General Data Protection Regulation (GDPR) was introduced. If these breaches had happened after May 25, the penalties would have been higher. The maximum penalty is now €20m or 4% of annual global income, whichever amount is greater.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

RPC partner Richard Breavington commented that the doubling of fines is a wake-up call to all businesses. Cyber attacks are not slowing down at all and businesses should see to it that they protect their customer’s personal data and prevent breaches and should consider taking out cyber insurance plans.

Business operating in EU states should be mindful of the importance of meeting all GDPR requirements to ensure they avoid compliance fines. It is not enough to simply designate a Data Protection Officer located in another country, like the US. A European Union Data Protection Representative must also be appointed to serve as a local liaison to take care of your data protection management.