It is quite broadly known that for serious infringements of the data protection principles, the enforcement body (for the UK this will be the ICO) has the power to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover, whichever is higher.
What is not so well know is that the UK GDPR sits alongside both the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR), each of which are also enforced by the ICO.
Previously, some company directors have been known to put their company in to liquidation to try and avoid paying the fines.
However, since early 2017 amendments to the PECR legislation made it possible for such directors to be held personally liable and forced to pay fines of up to half a million pounds in addition to the fine imposed on their companies. In addition, the ICO can bring criminal prosecution against such directors.
Here are some of the recent enforcement actions taken by the ICO:
- United Lincolnshire Teaching Hospitals NHS Trust
- Money Bubble Ltd EN
- Money Bubble Ltd MPN
- Breathe Services Ltd
- Breathe Services Ltd
- DPG Professional Services Ltd
- City of London Police
- Southend-on-Sea City Council
- Quick Tax Claims Limited
- Quick Tax Claims Limited
- National Debt Advice Limited
- National Debt Advice Limited
- Levales Solicitors LLP
- WerepairUK Ltd
- WerepairUK Ltd