Wow that year went quick! Have you looked at the fines the ICO (Information Commissioner’s Office) have hit companies with since GDPR was introduced on 25th May 2018?

They make quite scary reading…

There are two words that enter many external audit conversations, one is Brexit and the other is GDPR. The latter enabled all European countries to base their legislation on the same regulation which for companies trading across Europe makes things a lot easier. If you are a company with European offices, then policies can be easily shared and consistently communicated.

Preventing “events” (near misses/possible future breaches) from becoming “incidents” (probable/actual breaches) is essential to avoid fines. Here are just a few of the 27 companies fined by the ICO since the launch of GDPR*:

  • September 2018 – Everything DM Ltd Marketing agency were fined £60,000 for nuisance emails

  • October 2018 – Oaklands Assist UK were fined £150,000 for making thousands of direct marketing phone calls

  • February 2019 – Eldon Insurance Services Limited (t/a GoSkippy) were fined £60,000 for sending out unsolicited direct marketing emails without the required consent

  • March 2019 – Vote Leave Limited were fined £40,000 for sending out thousands of unsolicited text messages in the run up to the 2016 EU referendum

  • Apr 2019 – Bounty (UK) Limited were fined £400,000 for illegally sharing personal information belonging to more than 14 million people

  • May 2019 – Hall and Hanley Ltd were fined £120,000 for sending 3,560,211 direct marketing messages to subscribers without consent

ICO divide data into two categories: the breaching of PECR (Privacy and Electronic Communications Regulations) and the breaching of the DPA (Data Protection Act). Over the last couple of years, the fines for each are as follows*:

  • May 25th 2017 – May 24th 2018 = £1,430,000 (DPA) + £3,262,500 (PECR)

  • May 25th 2018 – May 24th 2019 = £2,310,000 (DPA) + £1,597,000 (PECR)

Interestingly, PECR fines have dipped while DPA fines have risen significantly. Fines were issued across a variety of sectors including charity, health, marketing, media, telecoms, finance, transport & leisure, government and general business. The damage to a company’s reputation when an ICO fine is made public (which they all are) could be catastrophic for business. Word has it that the ICO are more likely to show leniency if they see that a company has made a lot of effort – e.g. has delivered training, conducted audits etc.

So; what is the risk appetite of your business?

*statistics from

GDPR Staff Awareness

1 hour



ISO 27001 Foundation

1 day



ISO 27001 Internal Auditor

2 days



ISO 27001 Lead Auditor

3 days



What is GDPR?

Challenges of ISO 27001

ISO 27001 Lead Auditor
course review