Last year’s ICO fines would soar to £69 million post-GDPR

Talk Talk’s £400,000 fine would rise to almost £59 million

Fines from the Information Commissioners Office (ICO) against UK companies in 2016 would have skyrocketed from £880,500 to £69 million if General Data Protection Regulation (GDPR) had been enforced, according to analysis from NCC Group. 

The fines from 2015 would also have risen drastically from £1 million to £35 million. 

Currently, the ICO can hand out fines of up to £500,000 for contraventions of the Data Protection Act 1998. These include data breaches, nuisance calls and publication of any private data. Once GDPR comes into force on 25 May 2018 there will be a two tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2% of an organisation’s global turnover (whichever is greater). More significant contraventions will lead to fines of €20 million or 4% of turnover (whichever is greater).

The cyber security and risk mitigation specialist looked at all ICO fines from 2015 and 2016. Using the current maximum penalty as a guide, it created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.

Talk Talk’s 2016 fine of £400,000 for security failings that allowed cyber attackers to access customer data would rise significantly to £59 million under GDPR.

Roger Rawlinson, managing director of NCC Group’s Assurance Division, said: “GDPR isn’t just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.

“Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.

“We recommend that companies use GDPR as an opportunity to review their entire security strategy. Cyber resilience is about effective response and remediation. Understanding that attacks will happen and ensuring appropriate reactions is crucial.”


Media contact: Lucy Giles @ MC2 – 0161 236 1352

Notes to editors
Exchange rate from euros to pounds (1.16 rounded to two decimal places) was correct on 3 March 2017.

The model

  • NCC Group analysed all of the fines issued by the Information Commissioner’s Office (ICO) in 2015 and 2016.
  • It was possible to calculate each fine as a percentage of the maximum that could have been issued at this time.
  • Using this percentage, a post-GDPR fine was calculated, based on the two tiered sanction regime – with lesser incidents mapped against €10 million (£7.9 million) or 2% of an organisation’s global turnover, and more severe incidents mapped against €20 million or 4% of turnover.
  • Depending on the nature of the business and the severity of the breach, there were some instances where a 2% or 4% fine could be applied for not keeping personal data secure. In these cases it was assumed a supervisory authority is likely to opt for the larger fine.
  • The Privacy and Electronic Communications Regulations (PECR) sit alongside data protection legislation and give individuals specific privacy rights in relation to electronic communications (such as marketing calls, emails, texts and cookies). PECR is soon to be replaced by the ePrivacy Regulation. It is likely the UK will adopt these despite leaving the European Union. We therefore cannot say for certain that regulators will fine organisations 4% for a breach of marketing regulations in the future, but we have assumed they will for the purpose of this analysis.

For full data tables, visit this link:

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With the company’s knowledge, experience and global footprint, it is best placed to help businesses identify, assess, mitigate & respond to the risks they face.

NCC Group is passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Headquartered in Manchester, UK, with over 35 offices across the world, NCC Group employs more than 2,000 people and is a trusted advisor to 15,000 clients worldwide.

Published date:  28 April 2017

comments powered by Disqus

Filter By Service

Filter By Date