Mon Dec 07 2020
The Information Commissioner’s Office is struggling to collect the fines it’s issuing
The Information Commissioner’s Office (ICO) has, over the last couple of years, been struggling to collect many of the fines it’s issued for GDPR breaches and other instances of regulatory non-compliance.
This has meant that many organisations have basically been ‘let off the hook, for their breaches, at least according to a new Freedom of Information (FOI) request made by SMS Works.
The SMS Works API company made the request after tracking the ICO since 2018. It found that, since 2015, around £7m or, 42% of the total fines levied in that period, have still not been paid.
Their latest FOI request has now revealed since then the ICO have only been able to collect one more of the 47 outstanding fines issued up until Jul 2019.
In real terms that means there’s still £6.6 million, or over 39% of those fines still to be collected.
It gets worse though.
Since July 2019, their fine collection record hasn’t really improved, despite promising last year that they’d be stepping up their debt collection initiatives with the aid of third part collection agencies.
Of the twenty-one fines issued but July 2019 and August 2020, only nine have been paid.
Or again, in real terms, that’s 68% of the money still outstanding.
Breaking that down a little, the ICO has managed to collect 54% of their fines for data breaches but just 13% of the fines they issued for companies making nuisance phone calls.
A big part of that is, despite a change to legislation making company directors responsible for paying fines, a practise known as ‘phoenixing’ is still extremely common.
Company directors, when faced with large ICO fines, simply declare bankrupt and relaunch their business under a new name/trading name to escape further debt collection efforts.
The FOI request also highlighted that the ICO issued 89 fines in the 2017-2018 period after GDPR came into effect but only 2019 in the same 2019-2020 period.
It’d be nice to think those figures are based on firms becoming more compliant as GDPR regulations ‘bed-in’ but SMS Works feels differently.
The ICO does, after all, employ over 500 staff in four offices across the UK, so its not short of manpower. I believe the main issue it faces is that despite changes in the law, it's still too easy for companies and individuals that break the rules to find ways to avoid paying. In many cases the fines issued have been way in excess of the organization's ability to pay.
The SMS Works suggested the answer may be in the ICO levying more, but smaller, fines for breaches and spam call breaches of the regulations although that may be difficult when coupled with the fact that the original drafters of the GDPR regulations actually pushed for the ability to be able to fine more than the current limit of £20m or 4% of a firms total global turnover.
Mon Dec 07 2020