The Information Commissioner’s Office (ICO) fined businesses more than £14.3 million for misusing data last year, according to an analysis by cyber security and data protection consultancy CSS Assure.
ICO fines were imposed on 18 businesses, with the ICO also reprimanding 36 companies, issuing enforcement notices against a further 19, and prosecuting four businesses for failing to meet their obligations on information rights.
The year's largest fine, £12.7 million, was imposed on social media platform TikTok for breaching data protection law around the use of children’s personal data, with the ICO estimating that up to 1.4 million under-13s in the UK were able to use the video sharing app in 2020.
Charlotte Riley, director of information security at CSS Assure, said the ICO fines underline the serious repercussions faced by businesses for failing to adhere to robust data protection standards.
"The fines imposed by the ICO in 2023 highlight the serious consequences of misusing data," she said. "Mishandling personal information not only violates data protection laws but also erodes trust among consumers."
"TikTok’s £12.7 million penalty underscores the importance of lawful use of personal data and implementing appropriate safeguards, especially when it involves children," Riley added. "TikTok is a large, well-known brand, and its fine was substantial due to the sheer amount of data involved."
ICO fines issued for marketing violations
There were a combined £310,000 in ICO fines for three marketing firms found to be making a total of 483,051 unsolicited marketing calls to businesses and sending 107 million spam emails to jobseekers, analysis from CSS Assure revealed.
Similarly, two energy firms were fined a combined £250,000 for making marketing calls to people on the UK’s ‘do not call’ register.
A business support consultancy was also fined £30,000 for sending 558,354 direct marketing SMS messages without valid consent while an appliance service and repair company was fined £200,000 for making more than 1.7 million unsolicited direct marketing calls.
During the second half of the year, 10 companies were collectively fined more than £800,000 for sending a total of 4,698,841 unwanted text messages, 39,906,342 emails, and making 1,937,028 nuisance phone calls.
Riley said the sharpened focus on cracking down on nuisance calls and spam marketing tactics serves a clear message to organizations across the country for the year ahead.
"The fines imposed on businesses for unsolicited calls and text messages, and spam emails, as well as firms for disregarding the 'do not call' register, demonstrate the significant impact of invasive marketing practices," she said.
"These penalties send a clear message that companies must respect individuals’ privacy preferences and refrain from bombarding them with unwanted communications."
The ICO had a “busy year” in 2023
The ICO described 2023 as 'a busy year', noting that it handled 116,000 business service calls and 70,000 public advice calls.
The watchdog also received more than 33,000 data protection complaints and over 7,000 FOI complaints, with 288 investigations opened and 346 closed.
Its priorities for this year, it said, are to support the new Data Protection and Digital Information (DPDI) bill as it makes its way through Parliament, and to set out clear expectations that privacy and artificial intelligence (AI) go hand in hand.
RELATED RESOURCE
Enhance your organizations cyber resilience with proactive threat intelligence
DOWNLOAD NOW
Speaking at TechUK’s Digital Ethics Summit last month, information commissioner John Edwards said the regulator will be taking a measured approach to AI in 2024, but warned businesses that data privacy standards must be a key consideration.
"I want to make it clear from the very start that we are not against organizations using AI," he said.
"We just want to ensure that they are using AI in sensible, privacy-respectful ways, ensuring that people’s personal information and privacy rights remain protected throughout."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
