The year anniversary for GDPR is coming up in May, but so far, fines have not been anywhere near as much as was expected, Compliance Compendium chief business development officer Gareth Gadd explains why fines have been small so far, and why that’s soon to change.
Before 25th May 2018 many companies were unsure how the GDPR legislation (actually called the UK Data Protection Act 2018 – aka UK DPA 2018) would affect their business practices. In the run up to the legislation the headlines focused on the potential for eye-watering fines for non-compliance (of up to 4% of global annual turnover).
Many commentators seem to feel that fines levied by the UK Information Commissioners Office (ICO) to date have been small in comparison to expectation. Part of that has been because what should have been headline grabbing fines ended up being much lower because the companies involved were fined under the 1998 version of the Data Protection Act. The second reason is that the ICO has given companies time to get their houses in order. Thirdly, the ICO is not a large organisation so they have had to target their resources on other matters before training their sights on likely offenders. Finally, the ICO say that they want people to comply rather than handing out fines.
Regarding recent fines, if you do the sums, then what actually happened is that fines increased by nearly 90% in 2018 over 2017.
So, we can only expect fines to increase further as the ICO gain resources as it will be free of the distraction of revamping its information to incorporate DPA 2018. 2019 will be the year that we start to see the GDPR legislation taking a firm hold and fines increase in both volume and value. The largest fine we might see in 2019 could be as a result of the Marriott Hotels Starwood Guest Reservation System data breach. Marriott have already tried to manoeuvre their way into being considered under the older less punitive legislation by saying that this was a long-term breach. Nice try, but I think the ICO will be looking to increase their Marriott rewards.
2019 will also be the year of an increase in lower key fines. Think of a speeding ticket anology. These will not grab the headlines in value but volume should increase as the ICO get used to issuing fines. Even though they would rather not issue any…
| Year | Enforcements | Value | Increase |
| 2015 | 19 | £2,186,250 | |
| 2016 | 31 | £2,979,000 | 36.26% |
| 2017 | 52 | £3,977,500 | 33.52% |
| 2018 | 37 | £7,543,500 | 89.65% |
Source UK Information Commisioners Office
Total volume of capital investments to GDPR-focused companies, outlines institutions have clearly understood the pressures on them to meet compliance and the level of work needed to meet compliance. There has been nearly $750m invested into RegTech companies which have developed a GDPR solution, representing around 12.1 per cent of the total $6.1bn to be raised in the global RegTech sector, according to data by RegTech Analyst.
This makes GDPR the third highest funding regulation in terms of startup funding between 2014 and 2018. Only KYC and AML solution providers, which received $2.1bn and $1.7bn respectively, have received a higher level of funding.
Copyright © 2018 RegTech Analyst
