cloudThing logo in white
Menu open icon
tel: +44 (0) 121 393 4700
Menu closed icon


Generally useful pages


We know loads about this stuff

What we do

The Building Blocks for cloudThing Magic

ICO Struggling To Collect Fines From Firms Using A ‘Phoenix’ Loophole

Mon Dec 07 2020

The Information Commissioner’s Office is struggling to collect the fines it’s issuing

The Information Commissioner’s Office (ICO) has, over the last couple of years, been struggling to collect many of the fines it’s issued for GDPR breaches and other instances of regulatory non-compliance.

This has meant that many organisations have basically been ‘let off the hook, for their breaches, at least according to a new Freedom of Information (FOI) request made by SMS Works.

The SMS Works API company made the request after tracking the ICO since 2018. It found that, since 2015, around £7m or, 42% of the total fines levied in that period, have still not been paid.


Their latest FOI request has now revealed since then the ICO have only been able to collect one more of the 47 outstanding fines issued up until Jul 2019.

In real terms that means there’s still £6.6 million, or over 39% of those fines still to be collected.

It gets worse though.


Since July 2019, their fine collection record hasn’t really improved, despite promising last year that they’d be stepping up their debt collection initiatives with the aid of third part collection agencies.

Of the twenty-one fines issued but July 2019 and August 2020, only nine have been paid.

Or again, in real terms, that’s 68% of the money still outstanding.


Breaking that down a little, the ICO has managed to collect 54% of their fines for data breaches but just 13% of the fines they issued for companies making nuisance phone calls.


A big part of that is, despite a change to legislation making company directors responsible for paying fines, a practise known as ‘phoenixing’ is still extremely common.

Company directors, when faced with large ICO fines, simply declare bankrupt and relaunch their business under a new name/trading name to escape further debt collection efforts.


The FOI request also highlighted that the ICO issued 89 fines in the 2017-2018 period after GDPR came into effect but only 2019 in the same 2019-2020 period.

It’d be nice to think those figures are based on firms becoming more compliant as GDPR regulations ‘bed-in’ but SMS Works feels differently.

open quote mark

The ICO does, after all, employ over 500 staff in four offices across the UK, so its not short of manpower. I believe the main issue it faces is that despite changes in the law, it's still too easy for companies and individuals that break the rules to find ways to avoid paying. In many cases the fines issued have been way in excess of the organization's ability to pay.

Henry Cazalet – Director, The SMS Works

close quote mark

The SMS Works suggested the answer may be in the ICO levying more, but smaller, fines for breaches and spam call breaches of the regulations although that may be difficult when coupled with the fact that the original drafters of the GDPR regulations actually pushed for the ability to be able to fine more than the current limit of £20m or 4% of a firms total global turnover.

Not Quite Ready To Get Back To Work Just Yet?




Contact Us



Company Name


Email Address


Telephone Number

Is there anything else you'd like us to know?

© cloudThing 2021

Mon Dec 07 2020

© 2020 Copyright cloudThing ltd. All rights reserved. Company registered in England & Wales no. 7510381, VAT no. 152340739