It is quite broadly known that for serious infringements of the data protection principles, the enforcement body (for the UK this will be the ICO) has the power to issue fines of up to £17.5 million or 4% of a company’s annual worldwide turnover, whichever is higher.
What is not so well know is that the UK GDPR sits alongside both the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR), each of which are also enforced by the ICO.
Previously, some company directors have been known to put their company in to liquidation to try and avoid paying the fines.
However, since early 2017 amendments to the PECR legislation made it possible for such directors to be held personally liable and forced to pay fines of up to half a million pounds in addition to the fine imposed on their companies. In addition, the ICO can bring criminal prosecution against such directors.
Here are some of the recent enforcement actions taken by the ICO:
- Levales Solicitors LLP
- WerepairUK Ltd
- WerepairUK Ltd
- Service Box Group Limited
- Service Box Group Limited
- Police Service of Northern Ireland
- Bonne Terre Limited t/a Sky Betting and Gaming
- The Labour Party
- Coastal Windows & Conservatories (UK) Limited
- Coastal Windows & Conservatories (UK) Limited
- The Electoral Commission
- Chelmer Valley High School
- Dyfed Powys Police
- South Wales Police
- Metropolitan Police Service