The enforcement activities of the data protection watchdog, the Information Commissioner’s Office, (ICO), have increased over the past three years with a marked shift away from headline grabbing financial penalties in favour of more subtle and sophisticated enforcement tools. That is according to the audit firm PwC’s new Privacy and Security Enforcement Tracker.
The number of enforcement notices, which give orders to business to take remedial action, quadrupled in the last two years. Meanwhile the number of businesses criminally prosecuted rose significantly, from seven in 2013 to 18 in 2014. The most frequently used tool of enforcement was ‘written undertakings’, through which businesses promise to change their ways. Whilst the number of financial penalties issued fell from 18 in 2013 to 11 in 2014, the average value of these penalties increased 24pc, from £84,000 to £104,000.
The shift from the use of fines and the preference for enforcement notices and undertakings will deliver greater benefits for consumers, according to the auditor, because businesses are focused on taking constructive steps to protect personal information and privacy. They also present more peril for companies, because the cost of remedial actions will often exceed the maximum fine that the ICO can levy: £0.5m.
The main reason for ICO enforcement in the UK continues to be security breaches but marketing offences are also becoming more prevalent. In one case a music festival organiser was fined £70,000 for sending over 70,000 unsolicited marketing text messages. The significant fine suggests a move towards a much stronger enforcement environment for activities connected with the monetisation of the customer. Businesses are warned that data analytics about consumer behaviours and consumer profiling are likely to occupy more of the regulator’s attention, if these activities are profit making.
Stewart Room, partner at PwC Legal and author of the report, said: “If you are a regulated entity, you cannot afford not to track and react to developments in enforcement cases. If you don’t understand what is happening on the ground you will fail to adjust your business operations to take account of current and emerging regulatory priorities. You will then be exposed to enforcement action, which can cause massive business disruption.
“Regulators are acquiring expertise, knowledge and insight to match any business. What we are witnessing is the emergence of what will be one of the toughest regulatory environments for business. New EU data protection legislation, to be adopted in the next 12 months and fully implemented by 2018, will bring tougher sanctions that aim to make the ICO and his EU counterparts some of the most powerful business regulators in existence. Offending companies could soon be forced to hand over up to 5pc of their annual worldwide turnover to regulators who are becoming increasingly savvy in the way they perform their activities.”
